Endpoint activity varies significantly across different deployment environments and OS platforms.

The following factors contribute to endpoint activity levels:

  • The endpoint OS: Carbon Black EDR tracks and reports endpoint activity on a per-process execution basis. In most cases, Microsoft Windows creates and dismantles fewer processes than *nix-based operating systems such as macOS and Linux. Therefore, Microsoft Windows endpoints result in lower endpoint activity levels.
  • Endpoint type:In most cases, an endpoint that is deployed as a server results in higher endpoint activity levels than a general purpose workstation.
  • Endpoint use case: A build machine results in higher endpoint activity levels (for example, file modifications and created binaries). A DNS server results in higher endpoint activity levels (for example, created network connections.)

Estimating endpoint activity can be challenging. Incorporating known factors (OS breakdown, server versus workstations) into the sizing process results in a better experience. The following estimates can help determine the required server specifications:

Table 1. Endpoint activity level percentiles
Windows macOS Linux
Median 7,800 12,000 59,750
75-Percentile 10,750 18,750 125,000
90-Percentile 16,000 25,500 195,750
99-Percentile 34,750 82,750 819,250

Endpoint activity level percentiles shows endpoint activity level percentiles for process documents per endpoint per day, generated by different OS platforms across a Carbon Black EDR customer base (minimum of 100 endpoints).

Most endpoints have activity levels within the median range for each OS type. Servers and endpoints that are used for high performance computing, simulations, or build machines can fall within the 75-percentile to 90-percentile range. Special cases might encounter higher endpoint activity levels, but it is unlikely that all endpoints will be above the 90-percentile range.