I'm wondering if anyone can give me a ballpark as to how much space it would be prudent to provision for the shared folders that HDLP will write events/ evidence to. We have a small network with 125 systems and we'll start in monitoring mode.
While I'm not really up yet on policy creation as far as how it will fit our org, I get the concepts. We'll start with fairly toothless policies as we build out our test bed.
Any general insight/ tips would be much appreciated.
The events are stored in SQL and that share holds only the evidence (Reaction rule has the option Store evidence checked). It's up to you to do a correct sizing depending on the rules you create and how specific are they.
For e-mail you`ll have both the body of the message and the attachment as two separate files in the event and they're stored in the evidence folder. If you uncheck the "Store evidence" you'll then have only the name of the file in the attachment that triggered the rule.