After reading the section "Formula for endpoint data recorder data storage size" in the Symantec Advanced Threat Protection 3.2 Sizing and Scalability Guide, you have questions about the formula itself or the numbers cited.
Q: When calculating, e is "Dump size... This number is the amount of disk space that you allocated on the endpoint". Are dumps that are cancelled or failed included in this number?
A: Yes, when calculating these estimates, assume that each dump succeeds.
Q: When calculating, c is "Number of days = 30". Is the number of days fixed in ATP or configurable?
A: Fixed at 30 days
Q: When using these formulae, b is the number representing "Endpoint data recorder size per endpoint per day". How is this determined?
A: These numbers originated from research done previously by the Engineering team on sizing:
• Average event generation rate - 1.6 event/min/endpoint
• Average size of event on ATP - 800 bytes
• Size calculation:
1.6 * 60 mins * 24 hours * 800 bytes = 1843200 bytes/(1024 * 1024) = 1.7 MB
So, storage requirement for one endpoint is 1.7MB/day
FDR dump size on endpoint is taken as 10GB (Average), which gets reduced by 25% while storing on ATP, so its size is 7.5GB.
At max, ATP is supposed to store 10 dumps.
1.6 epm per endpoint is about 1500 eps for 50k endpoint.