Global subscriptions refer to the WMI events that the CYFOX Agent "subscribes" to and consistently reports to the XDR server. These events are crucial for the Agent to communicate with the server for real-time monitoring and response.
How Global Subscriptions Work
The relationship between the Agent (EDR) and the Server (XDR) functions similarly to any other policy enforcement mechanism:
Server Role: The server sends updates, policies, and configurations to the Agent.
Agent Role: The Agent applies these policies, specifically focusing on the events to monitor and report. It uses this information for mitigation actions and forensic analysis, sending the results back to the server.
By maintaining these subscriptions, the Agent ensures continuous and accurate reporting, enabling the server to maintain optimal security posture and respond effectively to threats.
Managing global subscriptions means defining which events the Agent will utilize. This usage encompasses two primary roles:
Event Reading: The Agent "reads" events to mitigate attacks when necessary.
Forensic Reporting: The Agent sends forensic data back to the server, based on insights gained from the events it "reads".
Why it is even needed to manage subscriptions
A common question is why manage subscriptions instead of simply "applying all" events for the Agent to use. The answer is straightforward: managing subscriptions is crucial for maintaining optimal performance and efficiency in the organization. Here’s why:
Server UI Performance: Handling too many events can significantly slow down the server’s user interface.
Network Bandwidth: Excessive event reporting can increase network bandwidth usage.
Storage and Processing: Storing and processing a large volume of events can strain server resources and storage capacity.
Event Relevance: Filtering out irrelevant events ensures that only significant events are monitored, reducing noise and improving the accuracy of threat detection.
Response Times: Efficient event management allows for quicker response times, as the system isn’t bogged down by unnecessary data.
Scalability: Managing subscriptions allows the system to scale more effectively, accommodating growth without degrading performance.
By carefully managing which events the Agent subscribes to, you ensure efficient performance, reduce unnecessary strain on your infrastructure, and maintain a high level of security and responsiveness.
Optimizing Event Subscriptions Management
To optimize performance and functionality, the CYFOX team has categorized events into two groups: "Must Have" and "Nice to Have."
Must Have: Essential events required for the Agent to function effectively, including threat mitigation and prevention.
Nice to Have: Events useful for user perspective but not necessary for the Agent's core operations.
By default, only "Must Have" events are enabled to ensure the Agent operates efficiently without unnecessary data load.
"Must Haves" Events List
"Must Have" Events List | Description |
FIM Event | FileIntegrityMonitor |
Defender Event | WindowsDefender |
Process Creation | ProcessCreation |
UFD Plug | UFD_Plug |
UFD Unplug | UFD_Unplug |
Volume Change | VolumeChange |
USB Drive Plug | USB_Drive_Plug |
Changing Event Subscriptions
If you wish to modify the event subscriptions, you can do so using one of the following methods:
Change Subscriptions for Specific Agent(s)
Change Subscriptions for All Agents
Important Note: Updating all agents is different from setting a "global" rule available within other policies. Choosing this option will update all current agents in the database.
However, new agents installed afterward will not inherit the previously used subscriptions.
Steps to Modify Event Subscriptions
Access the Configuration Panel: Navigate to the CYFOX policy page through the main menu.
Locate and select the "Events Subscriptions" tab.
To modify a specific endpoint, Click on the "Pencil" icon on the right side of the endpoint, then click on "Manage Subscriptions."
To modify Multiple Endpoints Together: Use the multi-selection button (gray circle as shown below) and then click on "Update," available at the top next to the table title (Hosts).
To modify All Endpoints in the Database: Click on the first circle at the top of the table, next to the column name "All."
Enable or Disable Events: Toggle the events you wish to enable or disable. Be mindful of the implications of disabling "Must Have" events, as this may impact the Agent's effectiveness in mitigating and preventing threats.
Save Changes: Apply the changes and save the configuration. The Agent(s) will update their event subscriptions accordingly. An orange badge will appear to indicate that the new subscription rules have been successfully updated.
Important Note
When updating all subscriptions together, the system will not display previously used configurations, as it cannot validate whether all selections have the exact same events subscribed.
Instead, you will be presented with a comprehensive list of all events, allowing you to enable or disable any as needed.
