EDR: How to Setup Site Throttling
search cancel

EDR: How to Setup Site Throttling

book

Article ID: 287799

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Enable Site Throttling within EDR

Environment

  • EDR Server: 6.x And Above
  • EDR Sensor: 6.1.2 - 6.1.9 and 6.2.2 and higher

Resolution

  1. Configure a site with the appropriate bandwidth settings in <loginname> > Settings > Sites
  2. Configure the bandwidth usage using the Calendar to set the throttle limit.
  3. Assign the site to the sensor group by selecting the site in the Sensor Group General Options > Site Assignment

Additional Information

  • Modifying bandwidth settings for sites requires Global Administrator status for on-premise installations and Administrator status for the cloud.
  • Throttling can be configured per site via sensor groups, per hour, per day.
  • Throttling will limit bandwidth from a group of endpoint sensors. Often used on low-bandwidth sites or sites that are bandwidth constrained at certain times of the day.
  • The trade-off when throttling is invoked is a delay in data sent back to the central server for analysis against watchlists and the availability of the data in the console.
  • Nginx access.log may see an increase in HTTP 503 responses once site throttling enabled. This is normal
  • Console users can override the network throttle by enabling “sync” to any individual host to instruct the host to ignore any configured throttles and send all data immediately.
  • Throttles shape the volume of traffic to the server from sensors at particular times. They do not reduce overall traffic. To reduce traffic, reduce data collected on the sensor group’s configuration.
  • Maximum sensor Checkin rate can be configured through SensorCheckinDelayRate in cb.conf.
  • Default value is 100 and it corresponds to max 100 checkins/second/server node
  • Reducing this value, reduces network traffic due to checkins, but also reduces how often sensors send statistics and retrieve any configuration changes.
  • Due to the number of processes generated on those endpoints, Mac and Linux sensors may drive higher bandwidth utilization.
  • If needed, create a new site to adjust further throttling for sensor groups outside of the default site.
  • Settings are applied per site, not per sensor group.
  • Additional information about site throttling is available in the Operating Environment Requirements
  • Site Throttling is measured in Kilobytes/sec (KB/s).
Powered by Wolken Software