Showing results for 
Search instead for 
Did you mean: 
Level 10

Space required for the HDLP share folders

I'm wondering if anyone can give me a ballpark as to how much space it would be prudent to provision for the shared folders that HDLP will write events/ evidence to. We have a small network with 125 systems and we'll start in monitoring mode.

While I'm not really up yet on policy creation as far as how it will fit our org, I get the concepts. We'll start with fairly toothless policies as we build out our test bed.

I'm mainly concerned about emails that may be blocked. If they are, do they AND their attachments both go to the evidence folder?

Any general insight/ tips would be much appreciated.

0 Kudos
1 Reply
Level 13

Re: Space required for the HDLP share folders

The events are stored in SQL and that share holds only the evidence (Reaction rule has the option Store evidence checked). It's up to you to do a correct sizing depending on the rules you create and how specific are they.

For e-mail you`ll have both the body of the message and the attachment as two separate files in the event and they're stored in the evidence folder. If you uncheck the "Store evidence" you'll then have only the name of the file in the attachment that triggered the rule.

0 Kudos