Elastic Defend has significantly reduced its data volume while maintaining its protection level and visibility, addressing the challenges of excessive endpoint telemetry that can lead to storage cost increases, search delays, and alert fatigue. From version 8.13 to 8.18, data volume was reduced by 68% on Linux, 57% on macOS, and 48% on Windows, thanks to several data efficiency improvements. These include merging short-lived process and network events, eliminating duplicate network events, and focusing on SHA256 hashes instead of legacy MD5 or SHA1 hashes. The changes are controlled by advanced options, ensuring existing Elastic Defend policies maintain prior behavior post-upgrade. The enhancements aim to lower operational costs and improve the usability of Elastic Defend without compromising its security effectiveness.