I have configured a fleet server with elastic defend integration to start using elastic security.
Currently only 2 servers are enrolled with the agent. Here is the integrations of the policy that we use:
System (desactivated process,network,file)
Everything works fine but I would like to share with you my disk usage for the elastic integration because I think that its huge amount for only 2 servers enrolled.
It happens Some processes are particularly noisy and quickly fill out the indexes. It's possible to suppress such events, but it makes blind spots in your data so it's an opt-out for users.
See details here Event Filters
I forgot to mention that since we added the Event Filters, we also started looking closely which events have little value and are curating an out-of-the box filter. This filter can be toogled off by an advanced policy option