3 Replies Latest reply on Jul 9, 2010 11:25 AM by djjava9

    Event Generation in an Outbreak Situation- Slow Link Saturation?

      Hi there


      i am doing some bandwidth sizing for a number of areas of a solution here and i would like to run something past you guys.


      The idea of using Priority Event Forwarding is obviously to ensure visibilty of events sooner than a lax ASCI would allow. The throttling is there obviously to ensure the EPO server is not "choked" if alot of clients have to send back events at the same time.


      Am i correct in saying though, that if say Machine X had an ASCI of 1 hour, and for this day it was reporting in on the hour every hour. So it had last callled in at 15:00, the machine then got infected at 15:30 and generated 30 critical events, of which, 10 events were sent back, am i right that although it says throttle a max of 10 events per hour, that at the next ASCI, in this case 16:00, the other 20 events would be sent?


      Which brings me onto the question, how possible is it for a machines, under certain conditions, to generate thousands of detectiion events? Is there an internal mechanism to control how many events are created for one particulat threat, or is this a potential scenario?


      Personally, i have never seen a machine generate thousands or events, usually, maybe only 20 or so dependant on the type of infection, but i am thinking out loud here of the potential for an outbreak to occur, multiple machines generate 1000's of events, which while throttled by the Prioroty Event Forwarding setting, proceed to send the REST all in at the next ASCI, and potentially saturate a link they may be using (if they are connecting via a slow WAN link, into an EPO Server in a core DC)