Huge size for elastic endpoint (defend) integration indices?

Hello,

Cluster information:
3 nodes with 1TB

I have configured a fleet server with elastic defend integration to start using elastic security.
Currently only 2 servers are enrolled with the agent. Here is the integrations of the policy that we use:

• Endpoint Security

• Elastic APM

• Auditd Logs

• ModSecurity Audit

• System (desactivated process,network,file)

Everything works fine but I would like to share with you my disk usage for the elastic integration because I think that its huge amount for only 2 servers enrolled.

Capture d'écran du 2023-02-23 16.45.031628×215 27 KB

There is 1 replicas so we are around 25gb for only 2 servers per day with 50gb disk usage.

I have 30 servers to monitor, we are going to use 750GB per day for process event only ? It is normal ?

It happens Some processes are particularly noisy and quickly fill out the indexes. It's possible to suppress such events, but it makes blind spots in your data so it's an opt-out for users.
See details here Event Filters

I forgot to mention that since we added the Event Filters, we also started looking closely which events have little value and are curating an out-of-the box filter. This filter can be toogled off by an advanced policy option

image766×412 18.1 KB

I hope you don't have it accidentally set to false.

Thank you for your reply.
I can confirm that i have not set the value to false, all advanced settings are default.

I will take a look at the event filter.

If i understand, the event filtered can always be used to trigger alert, but there are not indexed in ES, that right ?

Events filtered out by Endpoint are dropped just before going to the wire so all detections work internally raising appropriate Alerts, moving malware into quarantine, etc.