Below is a high-level procedure for tuning EDR events for server operating systems:

1. In the cloud console, create a designated test Device Group and move the target servers into it.

   Note: Creating this as a sub-group allows it to inherit policies from the parent group.

2. Allow the existing EDR policy to run on the test servers for a minimum of one week to collect a baseline of event data.
3. Filter Event Data by navigating to the Investigate page within the console. Apply filters to restrict the view exclusively to devices within your designated test group.
4. Identify the event categories generating the majority of the EDR event stream. Do this using one of the following methods:
   • In-Console: Use the Group By function to isolate specific event attributes (e.g., Event Type, Actor, Actor Command Line) for use in Endpoint Activity Recorder (EAR) exclusion rules.
   • Offline Analysis: Click Download Grid > All Columns > OK to export the search results to a CSV file for review in a spreadsheet application.
5. Duplicate the currently applied EDR policy. Add the new EAR exclusion rules identified during your analysis to the duplicated policy, and assign it to your test group to validate the tuning.