Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Events Suppression in Linux Sensors

Carbon Black Cloud: Events Suppression in Linux Sensors

Environment

  • Carbon Black Cloud Sensor: 2.10.3, 2.11.3,2.12.0, 2.13.1
  • Linux: All Supported Versions

Question

How events suppression works in various Linux Sensors ?

Answer

  • 2.10.3 - Duplicates Events are not suppressed, Enterprise EDR and Endpoint Standard will have the same events count.
  • 2.11.3 - Support was added for suppression of duplicate Enterprise EDR events and new rules were deployed which activate the suppression. Significant drop in Enterprise EDR event count  Endpoint Standard events are unaffected.
  • 2.12.0 - Rules were added to enable suppression of duplicate events Endpoint Standard events count drops.
  • 2.13.0 - There was an issue in 2.13.0 which cause event suppression to fail and logs to fill up with “Bad File Data” and this was fixed in 2.13.1. Ref to Carbon Black Cloud: High CPU usage with Linux sensor 2.13.0
  • 2.13.1 - The issue event suppression issue in 2.13.0 was fixed in 2.13.1 so that event suppression rules are again the same as in the 2.12.0 release.

Additional Notes

Example: 
This is a article attached imageThis is a article attached image
  • Events Collected - Number of raw events collected by the kernel module
  • EEDR Events - Number of Enterprise EDR events reported
  • ES Events - Number of Endpoint Standard events reported
  • There are fewer types of Endpoint Standard events so the count is lower.

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎07-22-2022
Views:
268
Contributors