Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Response: Expected event volume when using the Cb-Event-Forwarder

Cb Response: Expected event volume when using the Cb-Event-Forwarder

Environment

  • Carbon Black Response Console: All versions
  • Carbon Black Response Cb-Event-Forwarder: All Versions

Question

What is the expected amount of event volume from the cb-event-forwarder to my SIEM?

Answer

  • In a normal environment with full event collection, ~10 Events/Second/Endpoint can be seen.
  • Results may vary and do not start by sending ALL RAW events. Start with feed/watchlist/alert hits as these are lower impact.
  • Adjust to add additional event logging and specify at best what will be useful information according to your security policy.

Additional Notes

  • The Cb-Event-Forwarder is set by default to send all events. This should be adjusted by the user during the setup in the cb-event-forwarder.conf file.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎06-29-2018
Views:
661
Contributors