Skip Navigation

CylanceOPTICS
optional sensors

You can enable any of the following
CylanceOPTICS
sensors to collect additional data beyond standard process, file, network, and registry events. Enabling optional sensors can impact performance and resource usage on devices, as well as the amount of data stored in the
CylanceOPTICS
database.
BlackBerry
recommends enabling optional sensors on a small number of devices initially to assess the impact.
The optional sensors are supported for
Windows
64-bit operating systems only, unless otherwise noted.
Sensor
Description
Best practices
Notes
Advanced Scripting Visibility
The
CylanceOPTICS
agent records commands, arguments, scripts, and content from JScript, PowerShell (console and integrated scripting environment), VBScript, and VBA macro script execution.
Signal to noise ratio: High
Potential data retention and performance impact: Low to moderate
Recommended for:
  • Desktops
  • Laptops
  • Servers
Not recommended for
Microsoft Exchange
and email servers.
  • Tools provided by
    Microsoft
    or other third-party solutions may rely heavily on PowerShell to conduct operations.
  • To allow for increased data retention,
    BlackBerry
    recommends that you configure detection exceptions for trusted tools that make heavy use of PowerShell.
Advanced WMI Visibility
The
CylanceOPTICS
agent records additional WMI attributes and parameters.
Signal to noise ratio: High
Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Some
    Windows
    background and maintenance processes use WMI to schedule tasks or execute commands, which can result in bursts of high WMI activity.
  • BlackBerry
    recommends analyzing your environment’s WMI usage before you enable this sensor.
API Sensor
The
CylanceOPTICS
agent monitors an identified set of
Windows
API calls.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Enabling this sensor may impact a device's CPU performance
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Supported on x86 or x64
    Windows
    operating systems.
  • Requires the
    CylancePROTECT Desktop
    agent version 3.0.1003 or later.
  • Requires the
    CylanceOPTICS
    agent version 3.2 or later.
COM Object Visibility
The
CylanceOPTICS
agent monitors COM interface and API calls to detect malicious behaviors such as scheduled task creation.
Signal to noise ratio: High
Potential data retention and performance impact: Enabling this sensor may impact CPU performance.
Recommended for:
  • Desktops
  • Laptops
Not recommended for servers.
  • Requires
    CylancePROTECT Desktop
    agent version 3.2 or later.
  • Requires the
    CylanceOPTICS
    agent version 3.3 or later.
Cryptojacking Detection
The
CylanceOPTICS
agent processes
Intel
CPU activity using hardware registers for potential cryptomining and cryptohacking activity.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
Supported for:
  • Windows
    10 x64
  • Intel
    Gen 6 to 10
BlackBerry
recommends disabling this sensor, as we are currently investigating stability issues that this sensor can cause with the device OS.
  • Not supported for virtual machines.
  • Not supported for
    Intel
    Gen 11 or later processors.
    BlackBerry
    does not recommend enabling this sensor for Gen 11 or later.
DNS Visibility
The
CylanceOPTICS
agent records DNS requests, responses, and associated data fields such as Domain Name, Resolved Addresses, and Record Type.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Moderate
Recommended for:
  • Desktops
  • Laptops
Not recommended for DNS servers.
  • Note that this sensor can gather a significant amount of data, but can also provide visibility into data that other tools have difficulty recording.
  • To allow for increased data retention,
    BlackBerry
    recommends that you configure detection exceptions for trusted tools that make heavy use of cloud-based services.
Enhanced File Read Visibility
The
CylanceOPTICS
agent monitors file reads within an identified set of directories.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Some third-party security tools may use the
    Windows
    APIs that this sensor collects data from. In some cases,
    CylanceOPTICS
    might record irrelevant or trusted data.
  • To allow for increased data retention and a higher signal to noise ratio,
    BlackBerry
    recommends that you configure detection exceptions for trusted security tools.
Enhanced Portable Executable Parsing
The
CylanceOPTICS
agent records data fields associated with portable executable files, such as file version, import functions, and packer types.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • The data gathered by this sensor is passed into the Context Analysis Engine to aid with advanced executable file analysis and is not stored in the
    CylanceOPTICS
    database.
  • Enabling this sensor will have little to no impact on
    CylanceOPTICS
    data retention.
  • If you add and enable a detection rule that analyzes string resources, the
    CylanceOPTICS
    agent might consume significant CPU and memory resources.
Enhanced Process and Hooking Visibility
The
CylanceOPTICS
agent records process information from the Win32 API and Kernel Audit messages to detect forms of process hooking and injection.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Some third-party security tools may use the
    Windows
    APIs that this sensor collects data from. In some cases,
    CylanceOPTICS
    might record irrelevant or trusted data.
  • To allow for increased data retention and a higher signal to noise ratio,
    BlackBerry
    recommends that you configure detection exceptions for trusted security tools.
HTTP Visibility
The
CylanceOPTICS
agent tracks Windows HTTP transactions, including Event Tracing for Windows, WinINet APIs, and WinHTTP APIs.
Signal to noise ratio: High
Potential data retention and performance impact: Enabling this sensor may impact CPU performance.
Recommended for:
  • Desktops
  • Laptops
Not recommended for servers.
  • Requires
    CylancePROTECT Desktop
    agent version 3.2 or later.
  • Requires the
    CylanceOPTICS
    agent version 3.3 or later.
Module Load Visibility
The
CylanceOPTICS
agent monitors module loads.
Signal to noise ratio: High
Potential data retention and performance impact: Enabling this sensor may impact CPU performance.
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Requires
    CylancePROTECT Desktop
    agent version 3.2 or later.
  • Requires the
    CylanceOPTICS
    agent version 3.3 or later.
Private Network Address Visibility
The
CylanceOPTICS
agent records network connections within the RFC 1918 and RFC 4193 address spaces.
Signal to noise ratio: Low
Potential data retention and performance impact: Low
Recommended for desktops.
Not recommended for:
  • DNS servers
  • Low or under resourced systems
  • Systems that use RDP or other remote access software
  • This sensor gathers a significant amount of data and can impact the length of time that data is stored in the
    CylanceOPTICS
    database.
  • BlackBerry
    recommends that you enable this sensor only in environments where full visibility into private network address communication is a requirement.
Windows Advanced Audit Visibility
The
CylanceOPTICS
agent monitors additional
Windows
event types and categories.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Low
This sensor enables monitoring of the following event IDs:
  • 4769 kerberos ticket request
  • 4662 operation on active directory object
  • 4624 successful logon
  • 4702 scheduled task creation
Windows Event Log Visibility
The
CylanceOPTICS
agent records
Windows
security events and their associated attributes.
Signal to noise ratio: Moderate
Potential data retention and performance impact: Moderate
Recommended for:
  • Desktops
  • Laptops
  • Servers
Not recommended for:
  • Domain controllers
  • Microsoft Exchange
    and email servers
  • The
    Windows
    event logs that this sensor collects data from will be generated frequently during normal system usage.
  • To reduce duplicate data and to allow for increased data retention, determine if your organization already has tools in place that collect data from
    Windows
    event logs.