CylanceOPTICS sensors
CylanceOPTICS
sensorsYou can enable any of the following
CylanceOPTICS
sensors to collect additional data beyond standard process, file, network, and registry events. Enabling optional sensors can impact performance and resource usage on devices, as well as the amount of data stored in the CylanceOPTICS
database. BlackBerry
recommends enabling optional sensors on a small number of devices initially to assess the impact.The optional sensors are supported for 64-bit operating systems only, unless otherwise noted.
Sensor | Description | Best practices | Notes |
---|---|---|---|
Advanced Scripting Visibility | The CylanceOPTICS agent records commands, arguments, scripts, and content from JScript, PowerShell (console and integrated scripting environment), VBScript, and VBA macro script execution.Signal to noise ratio: High Potential data retention and performance impact: Low to moderate | Recommended for:
Not recommended for:
|
|
Advanced WMI Visibility | The CylanceOPTICS agent records additional WMI attributes and parameters.Signal to noise ratio: High Potential data retention and performance impact: Low | Recommended for:
|
|
API Sensor | The CylanceOPTICS agent monitors an identified set of Windows API calls.Signal to noise ratio: Moderate Potential data retention and performance impact: Enabling this sensor may impact a device's CPU performance | Recommended for:
|
|
Cryptojacking Detection | The CylanceOPTICS agent processes Intel CPU activity using hardware registers for potential cryptomining and cryptohacking activity.Signal to noise ratio: Moderate Potential data retention and performance impact: Low | Supported for:
| Not supported for virtual machines. |
DNS Visibility | The CylanceOPTICS agent records DNS requests, responses, and associated data fields such as Domain Name, Resolved Addresses, and Record Type.Signal to noise ratio: Moderate Potential data retention and performance impact: Moderate | Recommended for:
Not recommended for:
|
|
Enhanced File Read Visibility | The CylanceOPTICS agent monitors file reads within an identified set of directories.Signal to noise ratio: Moderate Potential data retention and performance impact: Low | Recommended for:
|
|
Enhanced Portable Executable Parsing | The CylanceOPTICS agent records data fields associated with portable executable files, such as file version, import functions, and packer types.Signal to noise ratio: Moderate Potential data retention and performance impact: Low | Recommended for:
|
|
Enhanced Process and Hooking Visibility | The CylanceOPTICS agent records process information from the Win32 API and Kernel Audit messages to detect forms of process hooking and injection.Signal to noise ratio: Moderate Potential data retention and performance impact: Low | Recommended for:
|
|
Private Network Address Visibility | The CylanceOPTICS agent records network connections within the RFC 1918 and RFC 4193 address spaces.Signal to noise ratio: Low Potential data retention and performance impact: Low | Recommended for:
Not recommended for:
|
|
Windows Advanced Audit Visibility | The CylanceOPTICS agent monitors additional Windows event types and categories.Signal to noise ratio: Moderate Potential data retention and performance impact: Low | — |
|
Windows Event Log Visibility | The CylanceOPTICS agent records Windows security events and their associated attributes.Signal to noise ratio: Moderate Potential data retention and performance impact: Moderate | Recommended for:
Not recommended for:
|
|