Sep 09 2023 12:20 AM - edited Sep 09 2023 12:21 AM
Hi There
we have found that with the default config of the supplementary_events_subsystem set to auditd - CPU usage gets high on busier systems
We manually set to ebpf via CLI when we detect this but we would prefer to set it as a default from now on as it reduces CPU usage by orders of magnitude in nearly every case. e.g.
mdatp config ebpf-supplementary-event-provider --value enabled
We can manage most other settings via the mdatp_managed.json file which we manage via puppet but it appears that supplementary_events_subsystem is not a value that can be managed at present? I certainly cannot find any documentation.
Dec 02 2023 07:09 AM
Jan 31 2024 04:31 AM
@Tempest62and everyone else It looks like microsoft has listened or it was on their roadmap all along but looks like we can configure it in the config just like other settings now, its also now enabled by default on updated versions of MDATP which is cool
Feb 13 2024 06:57 AM - edited Feb 13 2024 06:57 AM
Thanks for mentioning this @AnthonySomerset.
Do you have the setting in place and appearing as '[Managed]' if you query mdatp? I had a first pass at it a couple of weeks ago but wherever I placed the recommended block in my mdatp_managed.json file was either incorrect or missing a dependency as it knocked out all other managed settings.