Performance issues might occur with the Common Action Model (CAM) queue when running the adaptive response modular input.

The adaptive response modular input runs at a default interval of 2 minutes. To avoid exposing critical infrastructure controls, adaptive response actions are queued on the Splunk Cloud Platform search head.

You can adjust the CAM queue interval based on your needs. A more frequent execution time places additional load on the Splunk Cloud Platform Enterprise Security search head.

To avoid performance problems with the Common Action Model (CAM) queue, adjust the interval to run less frequently, and do not set it below 10 seconds. The queued actions store metadata and search results that turns on a proxy to run adaptive response actions from your on-premises environment.

Also, ensure that your heavy forwarder is configured to forward its data to your indexers. This includes forwarding data from the relayed modular actions. You can run a search similar to the following search on your Splunk Enterprise Security search head to verify that data is forwarding, where hf1 is the name of your heavy forwarder:

index="cim_modactions" host=hf1

If this search never returns results, then your heavy forwarder is experiencing issues connecting to the Splunk Enterprise Security search head.