The engine supports six types of telemetry, as described by the table below.
|IP||Egress IPv4 and IPv6 connections to Internet destinations|
|DNS||Egress DNS query events for valid Internet domains|
|HTTP||Egress HTTP requests to Internet destinations|
|TLS||TLS sessions, including JA3 fingerprints and X.509 certificate information|
|DHCP||DHCP telemetry is used to correlate alerts to hostnames and identities|
|VPN||VPN telemetry is used to correlate alerts to hostnames and identities|
Note: AE expects egress network events (i.e. traffic originating within your environment flowing outbound to the Internet, known as north-south telemetry) versus ingress events, as our use cases are tuned to identify compromised systems communicating outward to odd destinations.