Cb Response: Expected event volume when using the Cb-Event-Forwarder
search cancel

Cb Response: Expected event volume when using the Cb-Event-Forwarder

book

Article ID: 289033

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

What is the expected amount of event volume from the cb-event-forwarder to my SIEM?

Environment

  • Carbon Black Response Console: All versions
  • Carbon Black Response Cb-Event-Forwarder: All Versions

Resolution

  • In a normal environment with full event collection, ~10 Events/Second/Endpoint can be seen.
  • Results may vary and do not start by sending ALL RAW events. Start with feed/watchlist/alert hits as these are lower impact.
  • Adjust to add additional event logging and specify at best what will be useful information according to your security policy.

Additional Information

  • The Cb-Event-Forwarder is set by default to send all events. This should be adjusted by the user during the setup in the cb-event-forwarder.conf file.
Powered by Wolken Software