Telemetry Reference
The TridentStack Control agent collects system state data at regular intervals and sends it to the platform for analysis, scoring, and compliance evaluation. This page documents every category of data the agent collects.
Telemetry Categories
System Information
Core operating system and hardware details collected on agent startup and periodically refreshed.
| Data Point | Description | Platforms |
|---|---|---|
| OS name and version | e.g., "Windows 11 Pro 24H2", "Ubuntu 22.04" | Windows, Linux |
| OS build number | Full build including UBR (e.g., "26100.2605") | Windows |
| OS architecture | x64, x86, ARM64 | Windows, Linux |
| OS edition | Professional, Enterprise, ServerStandard | Windows |
| System locale | e.g., "en-US" | Windows |
| CPU details | Processor model and core count | Windows, Linux |
| RAM | Total and available memory | Windows, Linux |
| Disk partitions | Mount points, total/free space, system drive flag | Windows, Linux |
Windows Defender Status
Antivirus and endpoint protection state (Windows only).
| Data Point | Description |
|---|---|
| Signature version | Current definition version (e.g., "1.425.67.0") |
| Signature age | Hours since last definition update |
| Engine version | Antimalware engine version |
| Product version | Defender product version |
| Out-of-date flag | Whether Defender considers signatures stale |
| Real-time protection | Whether real-time scanning is active |
EDR and Third-Party Antivirus
Detection of installed security products beyond Windows Defender.
| Data Point | Description | Platforms |
|---|---|---|
| Product name | Name of detected EDR/AV product | Windows |
| Vendor | Product vendor | Windows |
| Version | Installed version | Windows |
| Enabled status | Whether the product is active | Windows |
| Primary flag | Whether this is the primary antivirus | Windows |
Software Inventory
Complete enumeration of installed applications.
Windows:
| Data Point | Description |
|---|---|
| Application name | Display name from the registry |
| Version | Installed version string |
| Publisher | Vendor or company |
| Install path | Installation directory |
| Install date | When the application was installed |
| Size | Installation size |
| Install source | Package manager used (Winget, MSI, etc.) |
| Package ID | Winget package identifier, if applicable |
Linux:
| Data Point | Description |
|---|---|
| Package name | e.g., "openssl", "nginx" |
| Version | Installed version |
| Architecture | amd64, arm64, i386 |
| Size | Installed size |
| Source repository | main, universe, security, etc. |
| Description | Short package description |
Network Configuration
Network interfaces and connectivity details.
| Data Point | Description | Platforms |
|---|---|---|
| Interface name | e.g., "Ethernet", "eth0" | Windows, Linux |
| MAC address | Hardware address | Windows, Linux |
| IP addresses | IPv4 and IPv6 addresses | Windows, Linux |
| Subnet / CIDR | Network mask | Windows, Linux |
| Gateway | Default gateway address | Windows, Linux |
| DNS servers | Configured DNS resolvers | Windows, Linux |
| Connection status | Connected, disconnected | Windows, Linux |
| Interface type | Ethernet, Wireless, VPN, Loopback | Windows, Linux |
| Speed | Link speed in Mbps | Windows, Linux |
Network Ports and Exposure
Listening ports with process attribution and firewall context. See Network Exposure for full details.
| Data Point | Description | Platforms |
|---|---|---|
| Port and protocol | Port number with TCP/UDP | Windows, Linux |
| Binding address | What address the service listens on | Windows, Linux |
| Process name and path | Which process holds the port | Windows, Linux |
| Process signing | Whether the executable is signed | Windows |
| Firewall state | Whether the firewall allows inbound | Windows |
| Service identity | Windows service name and display name | Windows |
| Docker container | Container name and image for docker-proxy ports | Linux |
Policy State
Configuration policy data from multiple sources (Windows only).
| Data Point | Description |
|---|---|
| Platform policy settings | Settings pushed by TridentStack Control |
| Domain GPO settings | Active Directory Group Policy (via gpresult) |
| Intune MDM settings | Mobile Device Management policies (via CSP registry) |
| Local registry settings | Values not claimed by other sources |
| Security policies | Account lockout, password policy, UAC settings |
| Audit policies | Windows audit policy configuration |
Windows Services
State of all Windows services.
| Data Point | Description |
|---|---|
| Service name | Internal service name |
| Display name | Human-readable name |
| Status | Running, Stopped, Disabled |
| Start type | Automatic, Manual, Disabled |
| Binary path | Executable location |
| Service account | Account the service runs under |
Certificates
Installed certificates across all certificate stores (Windows only).
| Data Point | Description |
|---|---|
| Subject | Certificate subject (CN) |
| Issuer | Certificate authority |
| Thumbprint | SHA-1 fingerprint |
| Expiration date | When the certificate expires |
| Store | Certificate store location (Trusted Root, Personal, etc.) |
| Key length | Cryptographic key size |
| Self-signed flag | Whether the certificate is self-signed |
Windows Features
Installed Windows features and roles (Windows only).
| Data Point | Description |
|---|---|
| Feature name | e.g., "Hyper-V", "IIS", "Windows Subsystem for Linux" |
| Status | Enabled or Disabled |
Scheduled Tasks
Scheduled tasks and their configuration (Windows only).
| Data Point | Description |
|---|---|
| Task name | Name and folder path |
| Status | Ready, Running, Disabled |
| Trigger | Schedule type (on boot, at logon, cron-like) |
| Last/Next run | Previous and upcoming execution times |
| Last result | Exit code from most recent run |
| Run-as user | Account the task executes under |
| Action | Command or script executed |
Local Groups and Membership
Local group membership (Windows only).
| Data Point | Description |
|---|---|
| Group name | e.g., "Administrators", "Remote Desktop Users" |
| Members | Users and groups in each local group |
| Member type | Local User, Domain User, Group |
| Domain membership | Domain name and controller, if domain-joined |
Defender ASR Rules
Attack Surface Reduction rule state (Windows only).
| Data Point | Description |
|---|---|
| Rule ID | GUID of each ASR rule |
| Rule name | e.g., "Block Office apps from creating child processes" |
| Mode | Block, Warn, Audit, or Off |
Extended Security Updates (ESU)
ESU license state for older Windows versions (Windows only).
| Data Point | Description |
|---|---|
| ESU status | Active, None, or Not Applicable |
| ESU year | Year 1, 2, or 3 of extended support |
.NET Versions
Installed .NET Framework and .NET runtime versions (Windows only).
| Data Point | Description |
|---|---|
| Framework versions | All installed .NET Framework versions (3.5, 4.8, etc.) |
| Modern runtimes | .NET 5+ runtimes (NETCore, AspNetCore, WindowsDesktop) |
Office Installation
Microsoft Office details (Windows only).
| Data Point | Description |
|---|---|
| Products | Installed Office products |
| Architecture | 32-bit or 64-bit |
| Version | Installed version |
| Update channel | Current, Monthly Enterprise, Semi-Annual, etc. |
Reboot State
Whether the system is pending a restart.
| Data Point | Description | Platforms |
|---|---|---|
| Reboot pending | Whether updates or configuration changes require a restart | Windows, Linux |
| WUA install events | Windows Update Agent events since last boot (KB, status, error code) | Windows |
Pre-Staged Files
Downloaded update files waiting to be installed.
| Data Point | Description | Platforms |
|---|---|---|
| KB number | Update identifier | Windows |
| Filename | Downloaded file name | Windows |
| File size | Size of the downloaded file | Windows |
| Download time | When the file was downloaded | Windows |
Collection Schedule
| Telemetry Type | Default Interval | Trigger |
|---|---|---|
| System information | On startup, then periodic | Also on-demand via Refresh |
| Software inventory | On startup, then periodic | Also after app install/uninstall |
| Network ports | Every 1 hour | Also on-demand via Refresh |
| Policy state | On check-in | When policy changes detected |
| Certificates | Periodic | On-demand via Refresh |
| Services | Periodic | On-demand via Refresh |
| Defender status | Periodic | On-demand via Refresh |
All telemetry can be refreshed on-demand from the agent detail page using the Refresh button on each tab.
How Telemetry Is Used
Telemetry data flows through several analysis services after collection:
| Service | What It Does |
|---|---|
| Vulnerability Scanner | Matches installed software against CVE databases to detect known vulnerabilities |
| Update Applicability | Determines which system updates apply to the endpoint based on OS version and installed KBs |
| App Applicability | Determines which application updates are available based on installed software versions |
| Compliance Evaluator | Evaluates agent state against assigned compliance frameworks (CIS, DISA STIG, etc.) |
| Health Score | Combines vulnerability, compliance, update, and network data into the overall health score |
Data Quality
The agent includes quality safeguards in its telemetry:
- State hashing: Each telemetry payload includes a SHA-256 hash so the server can detect duplicate data and skip redundant processing.
- Error reporting: If any individual data collection fails, the agent reports the error alongside the data it could collect, rather than failing the entire telemetry cycle.
- Version tracking: Each telemetry message includes a schema version for forward compatibility.