Performance limitations with the QRadar App for Symantec EDR

book

Article ID: 211101

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

When deploying the Qradar App for Symantec Endpoint Detection and Response, the amount of event data may be too much in large environments.

Environment

The symptom can be observed if SEDR is processing approximately 500 events per second or more, but it may vary based on the environment. The Qradar App will experience timeouts while trying to gather this much data. This will cause the operation to fail and the data will not be transmitted to Qradar.

Resolution

The Qradar App does not have rate limiting logic to ingest events graciously during spikes in data. This will be addressed in a future release.

The current workaround is to use the ICDx software provided here: https://www.broadcom.com/products/cyber-security/integrated-cyber-defense/integrated-cyber-defense-exchange