Environment
- Carbon Black Cloud Sensor: 2.10.3, 2.11.3,2.12.0, 2.13.1
- Linux: All Supported Versions
Question
How events suppression works in various Linux Sensors ?
Answer
- 2.10.3 - Duplicates Events are not suppressed, Enterprise EDR and Endpoint Standard will have the same events count.
- 2.11.3 - Support was added for suppression of duplicate Enterprise EDR events and new rules were deployed which activate the suppression. Significant drop in Enterprise EDR event count Endpoint Standard events are unaffected.
- 2.12.0 - Rules were added to enable suppression of duplicate events Endpoint Standard events count drops.
- 2.13.0 - There was an issue in 2.13.0 which cause event suppression to fail and logs to fill up with “Bad File Data” and this was fixed in 2.13.1. Ref to Carbon Black Cloud: High CPU usage with Linux sensor 2.13.0
- 2.13.1 - The issue event suppression issue in 2.13.0 was fixed in 2.13.1 so that event suppression rules are again the same as in the 2.12.0 release.
Additional Notes
Example:
This is a article attached image
This is a article attached image
- Events Collected - Number of raw events collected by the kernel module
- EEDR Events - Number of Enterprise EDR events reported
- ES Events - Number of Endpoint Standard events reported
- There are fewer types of Endpoint Standard events so the count is lower.
Related Content
Thank you for your feedback.
Your feedback has been submitted and will be reviewed.