CylanceOPTICS sensors Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Administration
  4. Cylance Endpoint Security Administration Guide
  5. Analyzing data collected by CylanceOPTICS
  6. CylanceOPTICS sensors

CylanceOPTICS
 sensors

You can enable any of the following
CylanceOPTICS
 sensors to collect additional data beyond standard process, file, network, and registry events. Enabling optional sensors can impact performance and resource usage on devices, as well as the amount of data stored in the
CylanceOPTICS
 database.
BlackBerry
 recommends enabling optional sensors on a small number of devices initially to assess the impact.
The optional sensors are supported for 64-bit operating systems only, unless otherwise noted.
Sensor
Description
Best practices
Notes
Advanced Scripting Visibility
The
CylanceOPTICS
 agent records commands, arguments, scripts, and content from JScript, PowerShell (console and integrated scripting environment), VBScript, and VBA macro script execution.
Signal to noise ratio: High
Potential data retention and performance impact: Low to moderate
Recommended for:
  • Desktops
  • Laptops
  • Servers
Not recommended for:
  • Exchange and email servers
  • Tools provided by
    Microsoft
     or other third-party solutions may rely heavily on PowerShell to conduct operations.
  • To allow for increased data retention,
    BlackBerry
     recommends that you configure detection exceptions for trusted tools that make heavy use of PowerShell.
Advanced WMI Visibility
The
CylanceOPTICS
 agent records additional WMI attributes and parameters.
Signal to noise ratio: High
Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Some
    Windows
     background and maintenance processes use WMI to schedule tasks or execute commands, which can result in bursts of high WMI activity.
  • BlackBerry
     recommends analyzing your environment’s WMI usage before you enable this sensor.
API Sensor
The
CylanceOPTICS
 agent monitors an identified set of
Windows
 API calls.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Enabling this sensor may impact a device's CPU performance
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Supported on x86 or x64
    Windows
     operating systems.
  • Requires the
    CylancePROTECT Desktop
     agent version 3.0.1003 or later.
  • Requires the
    CylanceOPTICS
     agent version 3.2 or later.
Cryptojacking Detection
The
CylanceOPTICS
 agent processes
Intel
 CPU activity using hardware registers for potential cryptomining and cryptohacking activity.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
Supported for:
  • Windows
     10 x64
  • Intel
     Gen 6 and newer CPUs
Not supported for virtual machines.
DNS Visibility
The
CylanceOPTICS
 agent records DNS requests, responses, and associated data fields such as Domain Name, Resolved Addresses, and Record Type.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Moderate
Recommended for:
  • Desktops
  • Laptops
Not recommended for:
  • DNS servers
  • Note that this sensor can gather a significant amount of data, but can also provide visibility into data that other tools have difficulty recording.
  • To allow for increased data retention,
    BlackBerry
     recommends that you configure detection exceptions for trusted tools that make heavy use of cloud-based services.
Enhanced File Read Visibility
The
CylanceOPTICS
 agent monitors file reads within an identified set of directories.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Some third-party security tools may use the
    Windows
     APIs that this sensor collects data from. In some cases,
    CylanceOPTICS
     might record irrelevant or trusted data.
  • To allow for increased data retention and a higher signal to noise ratio,
    BlackBerry
     recommends that you configure detection exceptions for trusted security tools.
Enhanced Portable Executable Parsing
The
CylanceOPTICS
 agent records data fields associated with portable executable files, such as file version, import functions, and packer types.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • The data gathered by this sensor is passed into the Context Analysis Engine to aid with advanced executable file analysis and is not stored in the
    CylanceOPTICS
     database.
  • Enabling this sensor will have little to no impact on
    CylanceOPTICS
     data retention.
  • If you add and enable a detection rule that analyzes string resources, the
    CylanceOPTICS
     agent might consume significant CPU and memory resources
Enhanced Process and Hooking Visibility
The
CylanceOPTICS
 agent records process information from the Win32 API and Kernel Audit messages to detect forms of process hooking and injection.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Some third-party security tools may use the
    Windows
     APIs that this sensor collects data from. In some cases,
    CylanceOPTICS
     might record irrelevant or trusted data.
  • To allow for increased data retention and a higher signal to noise ratio,
    BlackBerry
     recommends that you configure detection exceptions for trusted security tools.
Private Network Address Visibility
The
CylanceOPTICS
 agent records network connections within the RFC 1918 and RFC 4193 address spaces.
Signal to noise ratio: Low
Potential data retention and performance impact: Low
Recommended for:
  • Desktops
Not recommended for:
  • DNS servers
  • Low or under resourced systems
  • Systems that use RDP or other remote access software
  • This sensor gathers a significant amount of data and can impact the length of time that data is stored in the
    CylanceOPTICS
     database.
  • BlackBerry
     recommends that you enable this sensor only in environments where full visibility into private network address communication is a requirement.
Windows Advanced Audit Visibility
The
CylanceOPTICS
 agent monitors additional
Windows
 event types and categories.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
  • This sensor enables monitoring of the following event IDs:
    • 4769 kerberos ticket request
    • 4662 operation on active directory object
    • 4624 successful logon
    • 4702 scheduled task creation
Windows Event Log Visibility
The
CylanceOPTICS
 agent records
Windows
 security events and their associated attributes.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Moderate
Recommended for:
  • Desktops
  • Laptops
  • Servers
Not recommended for:
  • Domain controllers
  • Exchange and email servers
  • The
    Windows
     event logs that this sensor collects data from will be generated frequently during normal system usage.
  • To reduce duplicate data and to allow for increased data retention, determine if your organization already has tools in place that collect data from
    Windows
     event logs.