Back to Blogs

Announcing the Event Reporting and Sensor Operation Exclusions Feature

Posted on January 31, 2024

Overview

VMware Carbon Black is pleased to announce the release of the Event Reporting and Sensor Operation Exclusions feature. Event Reporting and Sensor Operation Exclusions increase the ability of Endpoint Standard and Enterprise EDR customers to tune product behavior to resolve operational issues and meet business needs.

Endpoint Standard and Enterprise EDR are powerful security solutions that collect large volumes of data and constantly evaluate endpoint activity to keep organizations safe from cyber attacks. Normally, these products’ default behaviors do not need to be suppressed, but in some cases, it may be necessary to tune their event reporting and/or sensor operation behaviors to resolve operational issues, such as network performance issues, endpoint performance issues, or interoperability issues with third-party software.

The types of exclusions available depend on the products you are subscribed to.

  1. Endpoint Standard Only
    • Event Reporting and Sensor Operation Exclusions - stops reporting certain Observation types and suppresses sensor actions to improve performance.
  2. Enterprise EDR Only
    • Event Reporting Exclusions - stops reporting specified raw events.
    • Event Reporting and Sensor Operation Exclusions - stops reporting raw events and suppresses sensor actions to improve performance.
  3. Endpoint Standard and Enterprise EDR
    • Event Reporting Exclusions - stops reporting specified raw events.
    • NGAV Reporting and Sensor Operations Exclusions - stops reporting certain Observation Types and suppresses sensor actions to improve performance.
    • All Reporting and Sensor Operations Exclusions - stops reporting raw events and suppresses sensor actions to improve performance.

The Policy Service has been extended with Bypass Rule Configs for this new feature.

See the Event Reporting and Sensor Operation Exclusions section of the Carbon Black Cloud User Guide for details on the types of exclusions and how to configure them in the User Interface.

Use Cases

All exclusion types are applied on a per-process basis and are highly customizable to allow you to resolve operational issues with the narrowest exclusion possible, and therefore the minimal detriment to endpoint visibility and security efficacy.

  • Use Event Reporting Exclusions to address network performance issues

    • Decrease the number of events that are reported by the sensor to the Cloud, therefore reducing network bandwidth consumption, and only apply to Enterprise EDR.

  • Use Event Reporting and Sensor Operation Exclusions for endpoint performance and interoperability issues.

    • Decrease the number of events the sensor reports to the cloud and the number of operations the sensor performs, such as generating a hash, gathering signature information, evaluating reputation, performing detections.

  • The API is recommended only for copying complete rule configurations between orgs or policies, rather than creating new configs or editing rules. The Carbon Black Cloud console has been designed to make configuring complex exclusions easier and is the recommended choice creating new exclusions.

  • Exclusion support has been added to the Endpoint Standard Core Prevention feature

    • Within the Prevention tab of the Policies page you’ll be able to enforce process-based exclusions to Core Prevention to reduce its false positives and improve its prevention efficacy.
    • Read more in the Announcement Blog.

Requirements

  • Carbon Black Cloud Endpoint Standard or Enterprise EDR
  • Supported on Windows sensors 3.6+, most effective on Windows sensors 4.0+.
  • API key with appropriate permissions. See Authentication for details.

More Information

Have questions or feedback?

  • Subscribe to the Developer Network Newsletter