ETW telemetry architecture
What this page is
The ETW trace session configuration, the 13 telemetry channels the sensor consumes, their provider GUIDs, event IDs, rate limits, data volume estimates, and the OCSF normalisation pipeline that maps raw ETW events into the shared schema.
Why it exists this way
ETW is the only supported kernel-to-user telemetry path on
Windows that does not require a signed kernel driver. Microsoft's
Defender, Sentinel, and Defender for Endpoint all use the same
providers, which means the event schema is stable across Windows
10/11 builds and Server editions. The sensor consumes traces via
OpenTrace / ProcessTrace rather than log files because the
streaming model avoids disk I/O on the endpoint.
How it works
The edr_windows::etw module implements EtwOrchestrator which
creates a single system trace session named AuroraEDR with 13
enabled providers. Each provider is configured with a keyword mask
and level to minimise noise.
Provider inventory
| # | Provider | GUID | Event IDs | Rate limit | Data/week (est.) |
|---|---|---|---|---|---|
| 1 | Kernel-Process | {22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716} | 1,3,5,12 | 5000/min | 320 MB |
| 2 | Kernel-File | {edd08927-9cc4-4e65-b970-c256bfb5e289} | 30,31,32 | 20000/min | 1.2 GB |
| 3 | Kernel-Network | {7dd42a49-5329-4832-8dfd-43d979153a88} | 12,15,17 | 10000/min | 800 MB |
| 4 | Kernel-Registry | {70eb4f03-c1de-4f73-a051-33d13d5413bd} | 1,2,5,12 | 5000/min | 180 MB |
| 5 | Win32k-Injection | {6f9c9314-b1c3-4a05-8b8a-4a2b5a2a4bf1} | 1,2,3 | 100/min | 12 MB |
| 6 | Microsoft-Windows-DNS-Client | {1c95126e-7eea-49a9-a3fe-a378b03ddb4d} | 3006,3008 | 5000/min | 60 MB |
| 7 | Microsoft-Windows-PowerShell | {a0c1853b-5c40-4b15-8766-3cf1c58f985a} | 4103,4104,53504 | 1000/min | 45 MB |
| 8 | Microsoft-Windows-WMI-Activity | {1418ef04-b0b4-4625-bf7e-d74ab47bbdaa} | 11,22,23 | 2000/min | 80 MB |
| 9 | Microsoft-Windows-TaskScheduler | {de7b24ea-73c8-4a09-985d-5bdadcfa9017} | 106,141 | 500/min | 10 MB |
| 10 | Microsoft-Windows-Services | {0063715b-eeda-4007-9429-ad526f62696e} | 102,103,104 | 200/min | 5 MB |
| 11 | Microsoft-Windows-Security-Mitigations | {fae10392-f0af-4ac0-b8ff-9f4d920c3cdf} | 2,5,13,14 | 100/min | 3 MB |
| 12 | Threat-Intelligence | {f4e1897c-bb5d-5668-f1d8-040f4d8dd344} | 1-15 | Unbounded | 150 MB |
| 13 | Microsoft-Windows-Sysmon | {5770385f-c22a-43e0-bf4c-06f5698ffbd9} | 1,3,7,8,11,12,13 | 10000/min | 400 MB |
OCSF mapping
Each ETW event type is normalised into an OCSF 1.3 activity class.
The edr_windows::ocsf module mirrors edr_linux::ocsf with
platform-specific normalisers:
| ETW provider | Native event | OCSF class |
|---|---|---|
| Kernel-Process (id=1) | ProcessStart | process_activity (activity_id=1) |
| Kernel-File (id=30) | FileCreate | file_activity (activity_id=1) |
| Kernel-Network (id=12) | TcpConnect | network_activity (activity_id=1) |
| Kernel-Registry (id=5) | RegSetValue | registry_key_activity (activity_id=5) |
| DNS-Client (id=3008) | DnsQuery | dns_activity (activity_id=1) |
| PowerShell (id=4104) | ScriptBlock | script_activity (activity_id=1) |
| Win32k-Injection (id=1) | RemoteThread | process_activity (activity_id=14) |
| TaskScheduler (id=106) | TaskCreated | scheduled_job_activity (activity_id=1) |
MITRE ATT&CK coverage via ETW
| ATT&CK ID | Technique | ETW provider(s) |
|---|---|---|
| T1059.001 | PowerShell | PowerShell (4104) |
| T1055.001 | DLL injection | Win32k-Injection (1,2,3) |
| T1055.012 | Process hollowing | Kernel-Process (1,5) + TI (12) |
| T1547.001 | Registry run keys | Kernel-Registry (5,12) |
| T1053.005 | Scheduled task | TaskScheduler (106,141) |
| T1562.001 | Disable tools | WMI-Activity (22,23) |
| T1071.001 | DNS C2 | DNS-Client (3008) |
| T1070.004 | File deletion | Kernel-File (31) |
| T1027.005 | Multi-stage obfuscation | PowerShell (4104) |
| T1095 | Non-application protocol | Kernel-Network (12,15) |
What goes wrong
EtwOrchestratorfails to start the trace session because another ETW consumer (Sysmon, third-party AV) already owns a session with the same name. The orchestrator appends a numeric suffix to the session name and retries.- Provider registration fails silently if the required manifest is not installed. The orchestrator logs a warning for each missing provider and continues with the remaining channels.
Microsoft-Windows-Threat-Intelligencerequires Windows 10 1809+ and is conditionally enabled at startup viaKernelInfo::probe_running_kernel. On Server 2016 this provider is skipped without error.- High event volume from Kernel-File on busy workstations exceeds
the rate limiter. The per-provider rate limiter drops events
oldest-first and increments
etw_dropped_events_totalso fleet operators can tune the limits per endpoint workload.