EDR: SIEM events are not captured properly and payload is truncated
search cancel

EDR: SIEM events are not captured properly and payload is truncated

book

Article ID: 287487

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

SIEM events are not captured properly and payload is truncated

Environment

  • EDR Server: All supported versions
  • Event Forwarder: All Supported Versions
  • Qradar

Cause

Event forwarder has been configured to forward messages to SIEM via UDP.

Resolution

TCP is the preferred option to avoid message loss/truncation.

Additional Information

The UDP syslog RFC states that any syslog receiver only needs to support up to 1180 bytes.