WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 1 million events per hour or can be deployed in a horizontally & vertically scaling architecture to allow for millions of events per second and long term retention and processing.

Deployment Video Guide

Deployment Options

WitFoo Precinct can be deployed in several methods.

Licenses

A 30 day trial license is automatically issued on all new appliance deployments when they launch. To obtain a trial license manually, please fill out this form. To obtain a production license, please request a quote and a WitFoo Partner will deliver the quote. Cloud hosted licensing on pay-as-you-go appliances are automatically billed to the cloud account. Pricing details are available on the pricing page for software only and the cloud page for SaaS offering.

 

Appliance Nodes

WitFoo Precinct is deployed via appliance nodes. There is an All-in-One appliance that contains all three WitFoo Precinct components. Each node can handle up to 1 million records per hour when clustered (at optimal resource allocation and Core processing level.) Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.

  • All-in-One – Contains Investigative Engine (IE), Streamer and Data nodes. Rated up to 1M eph.
  • Investigative Engine (IE) Node – Provides the user interface and centralized configuration as well as distributed processing and analysis.
  • Streamer Node – Receives, parses, and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
  • Data Node – Cassandra data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster.

Downloads

NodeCPURAMDiskOVA DownloadVHD Download
All-in-One (200GB Data)824GB300GBOVAarrow_downwardVHDarrow_downward
All-in-One (1TB Data)824GB1.3TBOVAarrow_downwardVHDarrow_downward
Data (200GB Data)412GB275GBOVAarrow_downwardVHDarrow_downward
Data (1TB Data)412GB1.1TBOVAarrow_downwardVHDarrow_downward
Streamer48GB115GBOVAarrow_downwardVHDarrow_downward
IE/Management412GB155GBOVAarrow_downwardVHDarrow_downward

Best Practice Note: Initial deployments that are created in a minimum horizontal cluster allow for simple expansion without the need to migrate data. For most enterprises, the configuration below allows for horizontal scale flexibility:

  • One (1) IE Node
  • One (1) Streamer Nodes for each transport type (syslog, NetFlow, Beats, Cloudwatch, Splunk)
  • Three (3) Data Nodes

For additional performance and scale guidance please refer to this training module: https://vimeo.com/277872139.

Appliance Deployment Instructions

It is highly recommended that appliances be thick provisioned to prevent performance and stability issues.

For more appliance installation and configuration guidance see: https://community.witfoo.com/forums/forum/virtual-appliance-and-os/

Network Configuration

The operating system of WitFoo Precinct is Ubuntu 20.04 LTS. Before running ./register ensure networking is configured correctly. For reference see: https://ubuntu.com/server/docs/network-configuration

It is highly recommended that network configuration be handled through DHCP scope reservations.

Installation Walk-through

The Deployment Checklist can be accessed at: https://community.witfoo.com/forums/topic/witfoo-precinct-deployment-checklist/

Firewall Ports

All appliances must be able to reach the following external hosts on HTTPS (443/tcp):

Additionally, the cluster communicates internally over the following ports.

ImageOpen Ports
All-in-OneSSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp)
IE NodeSSH (22/tcp), HTTPS (443/tcp), API (8080/tcp)
Streamer NodeSSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp)
Data NodeSSH (22/tcp), Cassandra (9042/tcp) Replication (7001/tcp)
Precinct Architecture

Precinct Architecture

 

Training

Detailed training on deployment, configuration and scale can be found at: https://community.witfoo.com/courses/ (free registration required.)

Security Products Currently Supported

VendorProductCritical Security ControlsGuide
AT&TAT&T Arris Gateway9 ,12
AkamaiAkamai SIEM Integration12
Amazon Web ServicesCloudwatchGuide
Amazon Web ServicesCloudtrail
Amazon Web ServicesGuard Duty9 ,12
Amazon Web ServicesAWS VPC Security9 ,12
Amazon Web ServicesAWS Instance Backup10
ApacheApache Web Server
ApacheApache Tomcat
AudioCodesMediant Media Gateway9 ,12
BRO IDSBRO IDS
BarracudaBarracuda WAF12
Beyond TrustBeyond Trust4 ,16
Carbon BlackCarbon Black Protect/Defend1 ,8
CentrifyCentrify4 ,16
CheckpointCheckpoint FW9 ,12Guide
CiscoStealthwatch8Guide
CiscoAdvanced Malware Protection (AMP)1 ,8 ,3Guide
CiscoFirepower9 ,12Guide
CiscoASA Firewall9 ,12Guide
CiscoMeraki15
CiscoCisco Ironport7
CiscoUmbrella1 ,7Guide
CiscoCisco Threat Response1 ,8Guide
CiscoCisco Wireless15
CiscoCisco ISE1 ,4 ,9 ,14
CiscoCisco Network Operating System11
CiscoWeb Security Appliance (WSA)1 ,8
CiscoAccess Control Server (ACS)1 ,4 ,6 ,9 ,11 ,14
CitrixNetscaler9 ,12
CrowdstrikeFalcon1 ,8 ,3Guide
CybereasonCybereason1 ,8
CylanceCylance Protect1 ,8Guide
Deep InstinctAdvanced Endpoint Security1 ,8
ESETESET Antivirus1 ,8
EricssonSecurity Manager1 ,8
F5ASM7 ,9 ,12Guide
FireEyeFireEye Email Security (EX Series)7
FireEyeFireEye Network Security (NX Series)1 ,8
FireEyeFireEye Endpoint Security (HX Series)1 ,8Guide
FireEyeFireEye Malware Analysis (AX Series)1 ,8
FireEyeFireEye File Protect (FX Series)13
FireEyeFireEye Central Management (CM Series)1 ,8
FortinetFortigate9 ,12
FortinetFortimail9 ,12
GigamonGigamon GigaVUE
GinGin Access Log
HAProxyHAProxy Load Balancer
HPEHPE Nimble13
HPEHPE EFS13
IBMQRadar6 ,16Guide
IBMIBM i Powertech SIEM Agent4 ,5 ,14
ImpervaSecureSphere13
InfoBloxInfoBlox1 ,7
InfocyteInfocyte1 ,8
JavaMelody ProjectJavaMelody
JuniperJuniper FW9 ,12
LinuxNameD
LinuxSSHD
Linuxfail2ban4
LinuxAuditd Logs4 ,5 ,14
LinuxLinux PAM4
MalwarebytesMalwarebytes Anti-Malware1 ,8
McAfeeMcAfee Web Gateway9 ,12
McAfeeMcAfee ePolicy Orchestrator1 ,8Guide
McAfeeMcAfee Network Security9 ,12
McAfeeMcAfee Endpoint Security1 ,8
MicrosoftWindows Logs4 ,5 ,14Guide
MicrosoftWindows Active Directory4 ,5 ,14
MicrosoftAdvanced Threat Analytics1 ,8
MicrosoftDHCP
MicrosoftAzure Security2 ,4 ,5 ,9 ,13 ,14 ,16Guide
MistMist Wireless15Guide
MojoMojo Wireless15
MultipleNetFlow v5, v7, v9Guide
MultipleIPFIX
MultipleCommon Event Format (CEF)
MultipleLog Event Extended Format (LEEF)
NXLogNXLog
NetscoutNetscout
NokiaNetGuard9 ,12
OSSECOSSEC1 ,8
OktaOkta4 ,16
OpenVPNOpenVPN9 ,12
POSTFIXPOSTFIX
PaesslerPRTG Network Monitor1 ,6
Palo AltoPAN NGFW9 ,12Guide
ProofPointProofPoint Protect7
PulsePulse Secure4 ,16
QualysQualys VA1 ,2 ,3 ,5 ,11Guide
RadwareRadware Appwall12
RoqosRoqos Core9 ,12
SSSD ProjectSystem Security Services Daemon (sssd)4
SecureCircleSecureCircle5 ,13 ,14
SenhaseguraSenhasegura PAM4
ShibbolethShibboleth IDP4 ,16
SolarwindsN-Central1 ,8
SonicWallSonicWall Firewall9 ,12Guide
SophosSophos Central1 ,8
SuricataSuricata IDS
SymantecSymantec Endpoint Protection1 ,8Guide
SymantecSymantec Data Loss Prevention13
TaniumTanium1 ,8
TaxiiSTIX/TaxiiGuide
TenableTenable Vulnerability Management1 ,2 ,3 ,5 ,11Guide
ThreatmetrixThreatmetrix
ThycoticSecret Server4 ,16Guide
TippingpointTippingpoint IPS9 ,12
TitanSpamTitan7
TrapXTrapX
Trend MicroTrend Deep Security1 ,8
TufinTufin SecureTrack9 ,11
UbiquityUnify Security Gateway9 ,12
VMWareVMWare VCenter2
VMWareVMWare NSX Firewall9 ,12
VaronisDatAdvantage13
Vectra NetworksCognito8
WazuhWazuh1 ,8Guide
WebsenseWebsense7 ,9 ,12
WitFooPrecinct6 ,16 ,19
WitFooWitFoo IOC Feed
ZixZix Email7
linuxUncomplicated Firewall (UFW)9 ,12
linuxKernel5 ,6
linuxNetfilter ulogd9 ,12
pfSensepfSense Firewall9 ,12Guide
zScalerzScaler NSS7 ,9 ,12Guide