Even If we enable the observe mode for all systems it will create all events that "would be blocked" & if we disable observe mode & enable balance mode in policy, it will create same amount of blocked event.
we have not standard OS image in our environment, where we can apply observe mode policy on few systems and whitelist applications & disable observe mode and go for production deployment. We have many applications scattered across & all can not be tested with ATP policy before we can go for production roll-out.
is there any way to minimize events in observe mode?
Events are expected to be generated whether ATP is deployed in observe or enabled mode as long as the corresponding ATP rules/conditions are met for the running processes.
ATP works on processes that are not determined as malicious by On access Scan. Hence if you want to minimize the number of events generated by ATP, use of TIE server to mark PE files trusted by you/internally by the organization can be suggested here.
If TIE server is not used internally, then we recommend adding exclusions of the commonly used processes under OAS exclusions (Low risk process and exclusions for standard and High Risk processes as well) to avoid those processes from being scanned provided these are trusted internally by your organization. There is a certain amount of administration effort involved here as ATP will not be able to trust and reduce events o processes on it's won without being fed this required data.
Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.