Environment
- EDR Server: All versions (formerly CB Response)
Question
What is the check-in interval for sensors to the EDR server?
Answer
That's defined on /etc/cb/cb.conf.
- SensorCheckinDelayVariancePct
Default: 0.1
Smoothing factor for determining the next check-in for individual sensors. For example, if calculated check-in offset (which is calculated at runtime based on the number of active sensors, divided by SensorCheckinDelayRate) is 60, and SensorCheckinDelayVariancePct is 0.1, then actual next sensor check-in time is 60 +- 6. This helps to distribute sensor check-ins evenly.
Default: 100
Sets the maximum number of check-ins per second, per minion.
- SensorCheckinDelaySecOverride
Default: 0 (off)
Overrides the calculated check-in delay.
- CoreServicesMaxCheckinInterval
Default: 1335
Configures the maximum interval, in seconds, between successive sensor check-ins from a single sensor. Raising this value decreases the load on the server, as there are fewer sensor check-ins and fewer modifications to the event store.
- CoreServicesSmallScaleSensorCount
Default: 25
If the number of sensors that are currently active is less than this value, the sensor checkin interval is always 30 seconds. If it is greater, Cb Response calculates a dynamic checkin interval.
Default: 30
This is the minimum number of seconds that the Sensors will wait before checking in again.
Additional Notes
The smallest dynamic checkin interval for a sensor is 30 seconds
