CB ThreatHunter: Investigate page returning reduced events volume
Article ID: 285569
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
- A frequent regmod to a specific registry location from a third party security product will be excluded
- A frequent crossproc (opening handles to all processes repeatedly) by a third party security product will be excluded
- Repeated netconns by any single process to any unique remote IP:port combination will be excluded
Environment
- CB ThreatHunter Web Console: All Versions
- CB PSC Windows Sensor: 3.4.x.x and higher
- Microsoft Windows: All Supported Versions
Cause
There is a cloud-driven change coming this week to ease network loads and minimize redundancy in VMware Carbon Black Cloud Enterprise EDR event data.
Resolution
VMware Carbon Black has performed a deep analysis of the most repetitive events aggregated across all customers, and have designed surgical rules to exclude these events from all Enterprise EDR customers' sensor traffic.
Additional Information
While every endpoint and workload is different, based on initial findings VMware Carbon Black expects that most customers could see on average a 20% reduction in the number of sent events, ranging for most customers between 10 - 30%.
Feedback
Yes
No
Powered by
