Since applying an Endpoint Detection and Response (EDR) policy to SEP Linux agents, CPU usage for sisidsdaemon has been high.

SEP 14.3 RU4 and higher with EDR enabled.

Depending on the software installed on the Linux machine, event generation can be high (especially for security and monitoring software).  Capturing these events can have an impact on the CPU usage if the number of events is extremely high.

In most circumstances, the high event activity is being generated security, backup or monitoring software.  Excluding these processes from event recording can reduce the load on the daemon responsible for capturing events (sisidsdaemon).  

Starting with SEP 14.3 RU6, exclusions for Linux processes can be set in the Detection and Response policy.  Ensure clients are running SEP 14.3 RU6 or higher and configure process exclusions for process events that generate a lot of events, but aren't of interest to Incident Response teams.  Network activity monitoring can also greatly increase the number of events generated.  If these network events are not needed, recording can be disabled.

Excluding Linux Processes from recording

1. Open Detection and Response Policy.

2. Under Endpoint Activity Recorder Rules, select the 'Linux' tab.

3. Click the +Add option

4. Choose 'Process Activity' for the event type.

4. In the Actor field, provide the full path to the process.  

Note: The process must be listed.  Providing a folder path without the process will fail to exclude the process.

5. Click 'Save'.

Disabling Host Network Activity events

1. Open Detection and Response Policy.

2. Under Endpoint Activity Recorder Rules, select the 'Linux' tab.

3. Click the +Add option

4. Choose 'Host Network Activity' for the Event type.

5. Click 'Save'.