C-Prot Windows telemetry updates

[tsale]

EDR Telemetry Pull Request

Contribution Details

Consolidates the C-Prot Windows telemetry updates that were originally submitted as separate PRs for individual subcategories:

• C-Prot Windows USB Device Mount #191 C-Prot Windows USB Device Mount
• C-Prot Windows USB Device Unmount #192 C-Prot Windows USB Device Unmount
• C-Prot Windows Group Policy Modification #193 C-Prot Windows Group Policy Modification
• C-Prot Windows Volume Shadow Copy Deletion #194 C-Prot Windows Volume Shadow Copy Deletion

Changed file:

• EDR_telem_windows.json

Telemetry Validation

Documentation or Evidence:

• Official documentation
• Screenshots attached
• Sanitized logs provided
• Private documentation

This PR preserves the submitted C-Prot Windows changes as a single OS-scoped review unit. Evidence details remain as provided by the contributor in the original PRs and should be reviewed before publication/merge.

Type of Contribution

• Adding telemetry information for an existing EDR product

Validation Details

EDR Product Information

• EDR Product Name: C-Prot EDR
• EDR Version: Not specified in the original PRs
• Operating System(s) Tested: Windows

Testing Methodology

Not specified in the original PRs. This consolidation was validated mechanically by:

• dry-merging PRs C-Prot Windows USB Device Mount #191-C-Prot Windows Volume Shadow Copy Deletion #194 together locally with no merge conflicts
• validating EDR_telem_windows.json as syntactically valid JSON

Additional Notes

This PR is intended to replace the individual C-Prot Windows PRs listed above so the project can review multiple same-OS telemetry changes in one pull request.

[tsale]

@husnuoner thank you for the C-Prot EDR telemetry contributions.

For future submissions, please group related telemetry updates into a single pull request per operating system rather than opening one pull request per individual category or row. For example:

• one PR for multiple Windows changes
• one PR for multiple Linux changes
• one PR for multiple macOS changes

This makes review, validation, and merging much easier for the project.

I’ve consolidated the current submissions into OS-scoped PRs here:

• macOS: #195
• Windows: #196

Thanks again for contributing.

[tsale]

@husnuoner - Can you please provide some information regarding the following?

• USB Mount/Unmount: I can only see usb mount information in the telemetry logs. Can you please provide evidence of HIDS telemetry as well? Otherwise, we will have to change this to "Partially"
• Regarding the Volume Shadow Copy deletion: this appears to be a detection. We do not track detection-derived telemetry in this project. I will change this to “No”.

[husnuoner]

@tsale thank you for the feedback. In addition to the telemetry logs, USB mount and unmount events are also captured under Peripheral Activity in our HIDS module. This provides detailed visibility into USB device connection and disconnection events at the endpoint level.
I am attaching the following as supporting evidence:

CSC screenshot – showing the Peripheral Activity view with USB mount/unmount events
Exported JSON file – containing the raw HIDS telemetry data for these events

These should confirm that USB mount/unmount activity is covered by both telemetry and HIDS, supporting a "Yes" rather than "Partially" designation.
Regarding Volume Shadow Copy Deletion – understood, we acknowledge that detection-derived telemetry is out of scope for this project. No objection to changing this to "No".
Please let us know if any further evidence is needed.

csc_telemetry_peripheral-activity-log_2026-06-15T12-02Z_2026-06-16T12-02Z.json.gz