Skip Navigation

Optics
sensors

You can enable any of the following
Optics
sensors to collect additional data beyond standard process, file, network, registry, and thread events. Enabling optional sensors can impact performance and resource usage on devices, as well as the amount of data stored in the
Optics
database.
BlackBerry
recommends enabling optional sensors on a small number of devices initially to assess the impact.
The optional sensors are supported for 64-bit operating systems only.
Sensor
Description
Details
Best practices
Notes
Advanced Scripting Visibility
The
Optics
agent records commands, arguments, scripts, and content from JScript, PowerShell (console and integrated scripting environment), VBScript, and VBA macro script execution.
Signal to noise ratio: High
Potential data retention and performance impact: Low to moderate
Recommended for:
  • Desktops
  • Laptops
  • Servers
Not recommended for:
  • Exchange and email servers
  • Tools provided by
    Microsoft
    or other third-party solutions may rely heavily on PowerShell to conduct operations.
  • To allow for increased data retention,
    BlackBerry
    recommends that you configure detection exceptions for trusted tools that make heavy use of PowerShell.
Advanced WMI Visibility
The
Optics
agent records additional WMI attributes and parameters.
Signal to noise ratio: High
Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Some
    Windows
    background and maintenance processes use WMI to schedule tasks or execute commands, which can result in bursts of high WMI activity.
  • BlackBerry
    recommends analyzing your environment’s WMI usage before you enable this sensor.
Cryptojacking Detection
The
Optics
agent processes
Intel
CPU activity using hardware registers for potential cryptomining and cryptohacking activity.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
Supported for:
  • Windows
    10 x64
  • Intel
    Gen 6 and newer CPUs
Not supported for virtual machines.
DNS Visibility
The
Optics
agent records DNS requests, responses, and associated data fields such as Domain Name, Resolved Addresses, and Record Type.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Moderate
Recommended for:
  • Desktops
  • Laptops
Not recommended for:
  • DNS servers
  • Note that this sensor can gather a significant amount of data, but can also provide visibility into data that other tools have difficulty recording.
  • To allow for increased data retention,
    BlackBerry
    recommends that you configure detection exceptions for trusted tools that make heavy use of cloud-based services.
Enhanced File Read Visibility
The
Optics
agent monitors file reads within an identified set of directories.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Some third-party security tools may use the
    Windows
    APIs that this sensor collects data from. In some cases,
    Optics
    might record irrelevant or trusted data.
  • To allow for increased data retention and a higher signal to noise ratio,
    BlackBerry
    recommends that you configure detection exceptions for trusted security tools.
Enhanced Portable Executable Parsing
The
Optics
agent records data fields associated with portable executable files, such as file version, import functions, and packer types.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • The data gathered by this sensor is passed into the Context Analysis Engine to aid with advanced executable file analysis and is not stored in the
    Optics
    database.
  • Enabling this sensor will have little to no impact on
    Optics
    data retention.
Enhanced Process and Hooking Visibility
The
Optics
agent records process information from the Win32 API and Kernel Audit messages to detect forms of process hooking and injection.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Some third-party security tools may use the
    Windows
    APIs that this sensor collects data from. In some cases,
    Optics
    might record irrelevant or trusted data.
  • To allow for increased data retention and a higher signal to noise ratio,
    BlackBerry
    recommends that you configure detection exceptions for trusted security tools.
Private Network Address Visibility
The
Optics
agent records network connections within the RFC 1918 and RFC 4193 address spaces.
Signal to noise ratio: Low
Potential data retention and performance impact: High
Recommended for:
  • Desktops
Not recommended for:
  • DNS servers
  • Low or under resourced systems
  • Systems that use RDP or other remote access software
  • This sensor gathers a significant amount of data and can impact the length of time that data is stored in the
    Optics
    database.
  • BlackBerry
    recommends that you enable this sensor only in environments where full visibility into private network address communication is a requirement.
Windows Advanced Audit Visibility
The
Optics
agent monitors additional
Windows
event types and categories.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
  • This sensor enables monitoring of the following event IDs:
    • 4769 kerberos ticket request
    • 4662 operation on active directory object
    • 4624 successful logon
    • 4702 scheduled task creation
Windows Event Log Visibility
The
Optics
agent records
Windows
security events and their associated attributes.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Moderate
Recommended for:
  • Desktops
  • Laptops
  • Servers
Not recommended for:
  • Domain controllers
  • Exchange and email servers
  • The
    Windows
    event logs that this sensor collects data from will be generated frequently during normal system usage.
  • To reduce duplicate data and to allow for increased data retention, determine if your organization already has tools in place that collect data from
    Windows
    event logs.