EDR: SIEM events are not captured properly and payload is truncated
book
Article ID: 287487
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
SIEM events are not captured properly and payload is truncated
Environment
- EDR Server: All supported versions
- Event Forwarder: All Supported Versions
- Qradar
Cause
Event forwarder has been configured to forward messages to SIEM via UDP.
Resolution
TCP is the preferred option to avoid message loss/truncation.
Additional Information
The UDP syslog RFC states that any syslog receiver only needs to support up to 1180 bytes.
Feedback
thumb_up
Yes
thumb_down
No