This topic describes how to validate that exclusions are working as anticipated.
Event Reporting Exclusions
Event Reporting Exclusions should be used when it is necessary to decrease Carbon Black Cloud’s network bandwidth consumption; for example to resolve a network performance issue or use Carbon Black Cloud in a network bandwidth-constrained environment.
To validate that an Event Reporting Exclusion is working properly, open the Process Analysis page for a process that has an Event Reporting Exclusion applied. Excluded event types should not appear in the process event results for time periods that occurred after the time of exclusion enforcement. However, some edge cases can occur in which an excluded event type can still be reported. See Note.
After enforcing an Event Reporting Exclusion for a process that generates a high volume of events and excluding those event types, Carbon Black Cloud’s network bandwidth consumption should decrease on average.
Event Reporting and Sensor Operation Exclusions
Use Event Reporting and Sensor Operations Exclusions to resolve endpoint performance and interoperability issues.
After enforcing one or more Event Reporting and Sensor Operations Exclusions for a process that has excessive CPU or memory consumption, the CPU and/or memory consumption of that process and Carbon Black Cloud processes should decrease on average.
With Event Reporting Exclusions and Event Reporting and Sensor Operations Exclusions, there is a chance that excluded events can still be reported due to sensor operations that are not impacted by the exclusion, but that generate events such as Tamper Prevention. Most excluded event types will no longer be reported, but there can be some edge cases in which an excluded event type is still reported. This is expected behavior.