1 of 1 people found this helpful
The SIEM does not do any filtering as it would undermine it as being the one source of truth and all that, it just tries to keep up as best it can. It is possible that the appliance might be overwhelmed by an unusually high volume of incoming messages coming from a lot of devices and the devices sending the messages could end using all their CPU just trying to address the messages (I've seen that happen while testing poorly configured File Integrity Monitors) but that is basically just what you expect from a DOS, keep spamming a target until it can't handle the load. If LEM tries to do some trick to drop messages during a spike then the attacker just needs to ramp up the message rate because sooner or later there will always be a limit. As far as disk space goes LEM and the agents compress the messages to a pretty fantastic degree so I would really expect that to be the least likely bottleneck in the process, and you can expand the disks to 2 TB, it holds a ridiculous amount of messages. All you can really do to mitigate DOS as far as LEM goes would be to overspec your hardware.