CylanceOPTICS

optional sensors

You can enable any of the following

CylanceOPTICS

sensors to collect additional data beyond standard process, file, network, and registry events. Enabling optional sensors can impact performance and resource usage on devices, as well as the amount of data stored in the

CylanceOPTICS

database.

BlackBerry

recommends enabling optional sensors on a small number of devices initially to assess the impact.

The optional sensors are supported for 64-bit operating systems only, unless otherwise noted.

Sensor	Description	Best practices	Notes
Advanced Scripting Visibility	The CylanceOPTICS agent records commands, arguments, scripts, and content from JScript, PowerShell (console and integrated scripting environment), VBScript, and VBA macro script execution. Signal to noise ratio: High Potential data retention and performance impact: Low to moderate	Recommended for: Desktops Laptops Servers Not recommended for Microsoft Exchange and email servers.	Tools provided by Microsoft or other third-party solutions may rely heavily on PowerShell to conduct operations. To allow for increased data retention, BlackBerry recommends that you configure detection exceptions for trusted tools that make heavy use of PowerShell.
Advanced WMI Visibility	The CylanceOPTICS agent records additional WMI attributes and parameters. Signal to noise ratio: High Potential data retention and performance impact: Low	Recommended for: Desktops Laptops Servers	Some Windows background and maintenance processes use WMI to schedule tasks or execute commands, which can result in bursts of high WMI activity. BlackBerry recommends analyzing your environment’s WMI usage before you enable this sensor.
API Sensor	The CylanceOPTICS agent monitors an identified set of Windows API calls. Signal to noise ratio: Moderate Potential data retention and performance impact: Enabling this sensor may impact a device's CPU performance	Recommended for: Desktops Laptops Servers	Supported on x86 or x64 Windows operating systems. Requires the CylancePROTECT Desktop agent version 3.0.1003 or later. Requires the CylanceOPTICS agent version 3.2 or later.
COM Object Visibility	The CylanceOPTICS agent monitors COM interface and API calls to detect malicious behaviors such as scheduled task creation. Signal to noise ratio: High Potential data retention and performance impact: Enabling this sensor may impact CPU performance.	Recommended for: Desktops Laptops Not recommended for servers.	Windows only. Requires CylancePROTECT Desktop agent version 3.2 or later. Requires the CylanceOPTICS agent version 3.3 or later.
Cryptojacking Detection	The CylanceOPTICS agent processes Intel CPU activity using hardware registers for potential cryptomining and cryptohacking activity. Signal to noise ratio: Moderate Potential data retention and performance impact: Low	Supported for: Windows 10 x64 Intel Gen 6 to 10	Not supported for virtual machines. Not supported for Intel Gen 11 or later processors. BlackBerry does not recommend enabling this sensor for Gen 11 or later.
DNS Visibility	The CylanceOPTICS agent records DNS requests, responses, and associated data fields such as Domain Name, Resolved Addresses, and Record Type. Signal to noise ratio: Moderate Potential data retention and performance impact: Moderate	Recommended for: Desktops Laptops Not recommended for DNS servers.	Note that this sensor can gather a significant amount of data, but can also provide visibility into data that other tools have difficulty recording. To allow for increased data retention, BlackBerry recommends that you configure detection exceptions for trusted tools that make heavy use of cloud-based services.
Enhanced File Read Visibility	The CylanceOPTICS agent monitors file reads within an identified set of directories. Signal to noise ratio: Moderate Potential data retention and performance impact: Low	Recommended for: Desktops Laptops Servers	Some third-party security tools may use the Windows APIs that this sensor collects data from. In some cases, CylanceOPTICS might record irrelevant or trusted data. To allow for increased data retention and a higher signal to noise ratio, BlackBerry recommends that you configure detection exceptions for trusted security tools.
Enhanced Portable Executable Parsing	The CylanceOPTICS agent records data fields associated with portable executable files, such as file version, import functions, and packer types. Signal to noise ratio: Moderate Potential data retention and performance impact: Low	Recommended for: Desktops Laptops Servers	The data gathered by this sensor is passed into the Context Analysis Engine to aid with advanced executable file analysis and is not stored in the CylanceOPTICS database. Enabling this sensor will have little to no impact on CylanceOPTICS data retention. If you add and enable a detection rule that analyzes string resources, the CylanceOPTICS agent might consume significant CPU and memory resources.
Enhanced Process and Hooking Visibility	The CylanceOPTICS agent records process information from the Win32 API and Kernel Audit messages to detect forms of process hooking and injection. Signal to noise ratio: Moderate Potential data retention and performance impact: Low	Recommended for: Desktops Laptops Servers	Some third-party security tools may use the Windows APIs that this sensor collects data from. In some cases, CylanceOPTICS might record irrelevant or trusted data. To allow for increased data retention and a higher signal to noise ratio, BlackBerry recommends that you configure detection exceptions for trusted security tools.
HTTP Visibility	The CylanceOPTICS agent tracks Windows HTTP transactions, including Event Tracing for Windows, WinINet APIs, and WinHTTP APIs. Signal to noise ratio: High Potential data retention and performance impact: Enabling this sensor may impact CPU performance.	Recommended for: Desktops Laptops Not recommended for servers.	Windows only. Requires CylancePROTECT Desktop agent version 3.2 or later. Requires the CylanceOPTICS agent version 3.3 or later.
Module Load Visibility	The CylanceOPTICS agent monitors module loads. Signal to noise ratio: High Potential data retention and performance impact: Enabling this sensor may impact CPU performance.	Recommended for: Desktops Laptops Servers	Windows only. Requires CylancePROTECT Desktop agent version 3.2 or later. Requires the CylanceOPTICS agent version 3.3 or later.
Private Network Address Visibility	The CylanceOPTICS agent records network connections within the RFC 1918 and RFC 4193 address spaces. Signal to noise ratio: Low Potential data retention and performance impact: Low	Recommended for desktops. Not recommended for: DNS servers Low or under resourced systems Systems that use RDP or other remote access software	This sensor gathers a significant amount of data and can impact the length of time that data is stored in the CylanceOPTICS database. BlackBerry recommends that you enable this sensor only in environments where full visibility into private network address communication is a requirement.
Windows Advanced Audit Visibility	The CylanceOPTICS agent monitors additional Windows event types and categories. Signal to noise ratio: Moderate Potential data retention and performance impact: Low	—	This sensor enables monitoring of the following event IDs: 4769 kerberos ticket request 4662 operation on active directory object 4624 successful logon 4702 scheduled task creation
Windows Event Log Visibility	The CylanceOPTICS agent records Windows security events and their associated attributes. Signal to noise ratio: Moderate Potential data retention and performance impact: Moderate	Recommended for: Desktops Laptops Servers Not recommended for: Domain controllers Microsoft Exchange and email servers	The Windows event logs that this sensor collects data from will be generated frequently during normal system usage. To reduce duplicate data and to allow for increased data retention, determine if your organization already has tools in place that collect data from Windows event logs.