i am doing some bandwidth sizing for a number of areas of a solution here and i would like to run something past you guys.
The idea of using Priority Event Forwarding is obviously to ensure visibilty of events sooner than a lax ASCI would allow. The throttling is there obviously to ensure the EPO server is not "choked" if alot of clients have to send back events at the same time.
Am i correct in saying though, that if say Machine X had an ASCI of 1 hour, and for this day it was reporting in on the hour every hour. So it had last callled in at 15:00, the machine then got infected at 15:30 and generated 30 critical events, of which, 10 events were sent back, am i right that although it says throttle a max of 10 events per hour, that at the next ASCI, in this case 16:00, the other 20 events would be sent?
Which brings me onto the question, how possible is it for a machines, under certain conditions, to generate thousands of detectiion events? Is there an internal mechanism to control how many events are created for one particulat threat, or is this a potential scenario?
Personally, i have never seen a machine generate thousands or events, usually, maybe only 20 or so dependant on the type of infection, but i am thinking out loud here of the potential for an outbreak to occur, multiple machines generate 1000's of events, which while throttled by the Prioroty Event Forwarding setting, proceed to send the REST all in at the next ASCI, and potentially saturate a link they may be using (if they are connecting via a slow WAN link, into an EPO Server in a core DC)
forwarding of events has nothing to do with asci. it runs on its own schedule which is controlled from the events tab shown below. Do not change the default settings below. This allows more critical events such as a virus to be sent up immediately regardless of when the next asci is. it also has built in throttling to control an event saturation scenario. Its not something i would worry about, the agent does a great job of throttling events even in the case where a machine has generated thousands of events in a short period of time. This can happen but rarely.
Thankyou for response. So, on a regular ASCI events are not uploaded? As far as i knew they were, in which case, events that were 'throttled' and not uploaded using the 'priority event forwarding' feature, would then be sent instead at the next ASCI?
sorry, to be clear, normal events such an update succeeded are sent during the asci. but priority events that are considered more important are sent on the schedule that is dictated on the picture i included. Obviously these events are considered more urgent than "normal" events so they are sent as needed.