How to limit the performance impact of Automatic Responses on the ePolicy Orchestrator server
Last Modified: 2023-07-14 04:50:00 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
How to limit the performance impact of Automatic Responses on the ePolicy Orchestrator server
Technical Articles ID:
KB81642
Last Modified: 2023-07-14 04:50:00 Etc/GMT EnvironmentePolicy Orchestrator (ePO) 5.x
SummaryePO Automatic Responses are a powerful way to trigger specific actions immediately on receipt of a client or threat event. But, it's important to carefully configure Automatic Responses to avoid a severe performance impact on the ePO server itself.
ProblemPoorly configured Automatic Responses can cause the following:
SolutionAvoid configuring Automatic Responses that potentially meet these criteria:
ePO keeps all aggregated events within the application server memory. So responses configured in the previous manner could potentially lead to a severe memory use and affect the performance of the ePO server.
You must work to make responses more specific. It's preferable to configure responses to trigger less often and for only critical events. Example: Instead of configuring a response to send an email every time a threat event is received, configure a response to trigger when a threat event is unhandled. This action vastly reduces the number of responses triggered while still providing immediate feedback for critical issues. Affected ProductsLanguages:This article is available in the following languages: |
|