You want to understand how agent channel filters work in relation to agent policies.

Release : 15.x

Component : Agent configuration, agent policies

The order of filtering of agent data is: 

1. Agent Configuration
2. Policy

Anything filtered at step 1 is not available for evaluation in step 2

For example

• If you have a protocol such as Removable Storage in a policy detection rule you will only get Incidents for removable storage devices from file types included in the agent configuration for monitoring on that channel
• If you have a policy that is monitoring the Cloud Storage channel, but that channel is not selected on the agent configuration, you will receive no incidents

A complicating factor is the behaviour of True Type files on the agent configuration channel filters, which will recognize certain file types by a single signature. For example all Open Office type documents are seen as a single type. Thus filtering on .docx at the agent configuration level will also filter on .pptx, .xlsx etc. More details on True Type files here. At the policy level however, finer differentiation is achievable for some file formats.