When deploying the Qradar App for Symantec Endpoint Detection and Response, the amount of event data may be too much in large environments.
The symptom can be observed if SEDR is processing approximately 500 events per second or more, but it may vary based on the environment. The Qradar App will experience timeouts while trying to gather this much data. This will cause the operation to fail and the data will not be transmitted to Qradar.
The Qradar App does not have rate limiting logic to ingest events graciously during spikes in data. This will be addressed in a future release.
The current workaround is to use the ICDx software provided here: https://www.broadcom.com/products/cyber-security/integrated-cyber-defense/integrated-cyber-defense-exchange