I am trying to free up space on the ESM and the space requirements are set at 50 - 50 for both flow and event data. However, we do not utilize flow data.
What are the implications of increasing space for event data to - say 90% - in terms of the ESM being available?
Can this be configured back to 50 50?
What would need to be done to be able to feed flow data into the SEIM if we were going to utilize that?
DB will rebuild and GUI will have down time to reallocate partitions. You can change back to 50/50, but you will lose data, so decide then do it. Don't suggest rolling back. Smaller partition % means less disk space for flow data, so it will get purged quicker.
Tangential data point; I used to be a huge proponent of netflow data in the SIEM but over the years I've come to realize that in most cases the most critical netflows are already being logged as flow setups/teardowns by your firewall. Beyond that the use case becomes to track lateral traffic, but I think even that should be collected opportunistically to support use cases and not wholesale across the org. Even better would be to deploy security sensors internally and collect from those instead for increased lateral visibility.