I’m trying to determine how many events I would receive on my SIEM from the NSS server, is there a good metric I should use?
If you are trying to estimate EPS, you can use the following guidelines, but must remember numbers vary wildly from organization to organization:
Typical user will generate 2000-5000 transactions per day. If you perform SSL interception, you will see more transactions as each object in the TLS session will be inspected and logged. If you do not decrypt, the entire TLS session will be logged without internal objects resulting in significantly less sessions per day as much of the internet is hosted on HTTPS sites.
To calculate the average EPS, multiply the average transactions per day by number of users. Then divide the daily number to seconds. For example, for 10,000 users, and an average of 3,000 transactions per day, you will have about 350 EPS on average.
For a peak transaction rate, multiply the average EPS by 2.5.
Note these are guidelines numbers and vary by customer, depend on policy and have seasonality in them (Dec numbers are usually much lower for example).
Also note these numbers assume all transactions are forwarded to the SIEM, however NSS allows you to implement granular filters on the feeds that will reduce the number of transactions forwarded.