SentinelOne: High CPU

Agents: Windows 4.5.1+

To help solve interoperability issues with other applications that run on the endpoint, we introduce the Agent Activity Analyzer.

With this capability, you can easily identify interoperability problems between the SentinelOne Agent and other off-the-shelf or custom applications, and use the provided information to resolve the interoperability quickly and efficiently by setting focused and effective exclusions.

While we at SentinelOne are tirelessly and continuously working on finding new and improved ways to maintain our detection capabilities but with less friction and risk for interoperability and impact on another running process, security solutions by their nature need to tightly interact with other running applications. By providing greater visibility to Agent actions and its interaction with these applications, users can easily identify potential points of failures and use the provided information to make very accurate exclusions that will allow business continuity, with minimal security impact.

The Analyzer information helps resolve interoperability issues which translate to high Agent CPU utilization. Future releases will include information that helps resolve other types of interoperability issues.

What type of reports can be generated?

What does the Agent Activity Analyzer report include?

What type of interoperability issues can be identified using the report?

How do I generate the Activity Analyzer report?

To configure the Agent Activity Analyzer

What type of reports can be generated?

Last 4-hour report - Summary of all Agent activity in the last 4 hours. Generated when you run a sentinelctl command. For command syntax and an example, see To generate the Agent Activity Analyzer Report from sentinelctl:.
Report for a specific timeframe (user-defined). Useful for live debugging. Generated when you run the sentinelctl command. For command syntax and an example, see To generate the Agent Activity Analyzer Report from sentinelctl:.
Last 48-hour report (from Windows 4.6). Generated if you perform the Fetch Logs action from the Console.
Last 2-hour report (from Windows 4.6). Generated if you perform the Fetch Logs action from the Console.

What does the Agent Activity Analyzer report include?

Start and end time the data is collected
Agent start and stop events
Percentage of the time the Agent spent on each process, out of overall Agent activity time - in the duration of the data collection
Absolute time the Agent spent on each process, in the duration of the data collection
Agent average and maximum CPU utilization - measured and reported in intervals of 5 minutes

What type of interoperability issues can be identified using the report?

Your platform consumes a lot of resources, and you want to determine if it relates to the SentinelOne Agent.
You identify that the SentinelOne Agent consumes a lot of CPU resources (through this report or by an external tool), and want to investigate if it is related to a third-party application that is running.

Important: There are some processes that must not be excluded even if they appear to create high load on the Agent, like browsers and Microsoft Office. If one of these or other critical processes appears in the log, do not exclude it. Contact SentinelOne Support for help. For a list, see Not Recommended Exclusions.

How do I generate the Agent Activity Analyzer report?

From Windows Agent 4.6:

From Windows Agent 4.6 you can run the Agent Activity Analyzer from the Management Console.

Reports generated from the Management Console show Agent activity for the last 2 hours and for the last 48 hours.

To generate the Agent Activity Analyzer Report from the Management Console:

In the sidebar, click Sentinels.
Select an endpoint.
Click Actions > Fetch Logs.
Select Agent Logs.
Click Fetch Logs.

To download the fetched logs:

If you have an On-Prem Management Console, download the log file and send it to Support. If you have a cloud-based Management Console, Support can get your fetched logs from the Cloud.

In the sidebar, click Activity.
In the ACTIVITY view, click Administrative and select Log operations.
The results show entries with this syntax: Agent<name>successfully uploaded <file>.tar.gz
Select an entry and click the Download button.

To disable the Agent from sending the Activity Analyzer report when doing a File Fetch action, either run this sentinelctl command:

SentinelCtl.exe config -p agent.perfLogsConfig.shouldReportOnFetchLogs -v false -k "passphrase"

Or add this Policy Override:

{  "perfLogsConfig": {       "shouldReportOnFetchLogs" : "false" }, }

For Windows Agent 4.5.x:

The report can be generated by running a local sentinelctl command on the endpoint.

If you generate the Agent Activity Analyzer report from sentinelctl, you can generate either a last 4-hour report or a report for a specific time frame.

To generate the Agent Activity Analyzer Report from sentinelctl:

Syntax of the sentinelctl command:
```
sentinelctl create_agent_analyzer_report -o "full path to output file" [-s "UTC start time"] [-e "UTC end time"] [-m time frame in minutes]
```
- -o output file name.ext, --output output file name.ext: Output file name (the full path) and extension.
- -s start time, -- start start time: The collected data start time (UTC time). Format is "hh:mm dd-mm-yyyy".
- -e end time, --end end time: The collected data end time (UTC time). Format is "hh:mm dd-mm-yyyy".
- -m time frame in minutes, --minutes time frame in minutes: The time frame of the last X minutes. Default is 240 minutes.
Note: If you request a report for a time earlier than the first event in the log or later than the last event, the command will return an empty report. This issue will be fixed in a future version.

Example of a report for a specific time frame:

sentinelctl create_agent_analyzer_report -o "C:\Users\admin\Desktop\agent_activity_analyzer1.txt" -s "12:30 06-11-2020" -e "13:25 06-11-2020"

Example of a report for the last 4 hours:

sentinelctl create_agent_analyzer_report -o "C:\Users\admin\Desktop\agent_activity_analyzer1.txt"

To configure the Agent Activity Analyzer

Note: If you change a configuration value in this feature, you must reload the Agent for the changes to be applied.

Run the sentinelctl command
```
sentinelctl config perfLogsConfig.interval seconds {collectStatistics {true | false}} {collectCPUStatistics {true | false}} {cpuSamplingInterval seconds} {collectMainLoopStatistics {true | false}} {shouldPruneDB {true | false}} {dataExpirationTime hours} {maxDBSizeInBytes bytes} {percentileToDeleteOnPruning 4} 
```
- interval: Number of seconds after which the Agent average and maximum CPU utilization is measured and reported. Default is 300 seconds (5 minutes).
- collectStatistics: Enable (true) or disable (false) the feature.
- collectCPUStatistics: Enable (true) or disable (false) CPU statistics collection.
- cpuSamplingInterval: Number of seconds between every CPU sampling.
- collectMainLoopStatistics: Enable (true) or disable (false) main loop statistics collection.
- shouldPruneDB: Set whether the Agent should prune (true) or should not prune (false) the database when it reaches its size limit.
- dataExpirationTime: After how many hours will the Agent delete old records. Default is 96 hours (4 days).
- maxDBSizeInBytes: Maximum size of database, in bytes.
- percentileToDeleteOnPruning: This parameter is related to logic that the Agent uses to prune the feature database. We recommend you do not change the default. Default is 25 percent.

Or add to the Policy Override page:

{     "perfLogsConfig": {         "interval": 300,         "collectStatistics": true,                "collectCPUStatistics": true,         "cpuSamplingInterval": 1,         "collectMainLoopStatistics": true,         "shouldPruneDB": true,         "dataExpirationTime": 96,         "maxDBSizeInBytes": 10485760,         "percentileToDeleteOnPruning": 4     } }

Example output

SentinelOne: High CPU

SentinelOne: High CPU

Agent Activity Analyzer

Related Articles

SentinelOne: Installation

SentinelOne Upgrade Policy & Maintenance Window Settings