A Carbon Black EDR server stores endpoint process activity on disk as searchable and retrievable process documents. The size of these process documents varies across environments and OS platforms.

The following factors contribute to on-disk size of process documents:

  • Endpoint OS.Microsoft Windows processes are in general longer-lived compared to *nix based operating systems such as macOS and Linux. Therefore, such processes record more events per process, resulting in larger size on disk. Short-lived macOS and Linux processes (for example, ps, cat, ls) result in much smaller size on disk per process.
  • Endpoint type. In most cases, a server results in larger process document size on disk because servers run long-lived services (for example, daemons).
  • Endpoint use case. An endpoint that runs applications that modify many files or registry entries results in higher process document sizes on disk.

Estimating process document size on disk can be challenging. Incorporating known factors (OS breakdown, server versus workstations, etc.) into the sizing process results in a better experience. The following estimates can help gauge the required server specifications:

Table 1. On-disk size percentiles
Process Document Size (Bytes)
Median 3,600
75-Percentile 4,750
90-Percentile 6,250
99-Percentile 13,800

On-disk size percentiles shows process document on-disk size percentiles across a Carbon Black EDR customer base (minimum of 100 endpoints).