Critical System Protection

Hi there,

I am struggling quite a bit to find a sizing guideline for the CSP database. Ive seen articles on tempdb sizes and how to reduce the size but nothing to estimate the size of the database prior to pushing out agents. Anyone able to point me in the right direction on this?

In short, it depends.  

It depends on how many machines and how many events per day you expect, and what their data retention policy is, and if they want to use a 3rd party SEIM tool to collect all the data.  If the customer has really noisy policies, then that also needs to be taken into account.  

A well tuned CSP environment should only a select few contain actionable events, but there are some poeple that log everyting with CSP.  

The average event is 2k in size, and that goes into the CSPEvent table.  This is where the bulk of the data will reside.  

If there is a APT going on, there will be much more data, and that should be taken into consideration when sizing an environment -- allow extra room for those critical times so you don't end up DOSing CSP by filling up the database.