Endpoint activity varies significantly across different deployment environments and OS platforms.
The following factors contribute to endpoint activity levels:
- The endpoint OS: Carbon Black EDR tracks and reports endpoint activity on a per-process execution basis. In most cases, Microsoft Windows creates and dismantles fewer processes than *nix-based operating systems such as macOS and Linux. Therefore, Microsoft Windows endpoints result in lower endpoint activity levels.
- Endpoint type:In most cases, an endpoint that is deployed as a server results in higher endpoint activity levels than a general purpose workstation.
- Endpoint use case: A build machine results in higher endpoint activity levels (for example, file modifications and created binaries). A DNS server results in higher endpoint activity levels (for example, created network connections.)
Estimating endpoint activity can be challenging. Incorporating known factors (OS breakdown, server versus workstations) into the sizing process results in a better experience. The following estimates can help determine the required server specifications:
Windows | macOS | Linux | |
---|---|---|---|
Median | 7,800 | 12,000 | 59,750 |
75-Percentile | 10,750 | 18,750 | 125,000 |
90-Percentile | 16,000 | 25,500 | 195,750 |
99-Percentile | 34,750 | 82,750 | 819,250 |
Endpoint activity level percentiles shows endpoint activity level percentiles for process documents per endpoint per day, generated by different OS platforms across a Carbon Black EDR customer base (minimum of 100 endpoints).
Most endpoints have activity levels within the median range for each OS type. Servers and endpoints that are used for high performance computing, simulations, or build machines can fall within the 75-percentile to 90-percentile range. Special cases might encounter higher endpoint activity levels, but it is unlikely that all endpoints will be above the 90-percentile range.