Technical Specifications

WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 10,000 events per second or can be deployed in a horizontally & vertically scaling architecture to allow for millions of events per second and long term retention and processing.

Appliance Deployment Instructions

For more appliance installation and configuration guidance see: https://community.witfoo.com/forums/forum/virtual-appliance-and-os/

Detailed training on deployment, configuration and scale can be found at: https://community.witfoo.com/courses/ (free registration required.)

The Deployment Checklist can be accessed at: https://community.witfoo.com/forums/topic/witfoo-precinct-deployment-checklist/

Installation Walk-through

Appliance Nodes

WitFoo Precinct is deployed via appliance nodes. There is an All-in-One appliance that contains all three WitFoo Precinct components. Each node can handle up to 50,000 events per second when clustered (at optimal resource allocation and Core processing level.) Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.

  • All-in-One – Contains Investigative Engine (IE), Streamer and Data nodes. Rated up to 10k eps.
  • Investigative Engine (IE) Node – Provides the user interface and centralized configuration as well as distributed processing and analysis.
  • Streamer Node – Receives, parses and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
  • Data Node – Cassandra data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster.
Node CPU RAM Disk OVA Download AWS min/optimal
All-in-One 8 16GB 1.2TB, 280GB, 180GB  1TB, 200GB, 100GB c5.2xlarge / c5.18xlarge
IE Node 4 8GB 130GB OVA c5.xlarge / c5.4xlarge
Streamer Node 4 8GB 130GB OVA c5.xlarge / c5.4xlarge
Data Node 4 12GB 1.2TB, 280GB, 180GB 1TB, 200GB, 100GB c5.xlarge / c5.4xlarge

Best Practice Note: Initial deployments that are created in a minimum horizontal cluster allow for simple expansion without the need to migrate data. For most enterprises, the configuration below allows for horizontal scale flexibility:

  • One (1) IE Node
  • One (1) Streamer Nodes
  • Three (3) Data Nodes

For additional performance and scale guidance please refer to this training module: https://vimeo.com/277872139.

To request a trial license, complete this form.

Image Open Ports
All-in-One SSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp)
IE Node SSH (22/tcp), HTTPS (443/tcp), API (8080/tcp)
Streamer Node SSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp)
Data Node SSH (22/tcp), Cassandra (9042/tcp) Replication (7001/tcp)
Precinct Architecture

Precinct Architecture

 

Security Products Currently Supported

VendorProductCritical Security Controls
BRO IDSBRO IDS
Carbon BlackCarbon Black Protect/Defend1, 2, 5, 8
CentrifyCentrify4
CheckpointCheckpoint FW9, 12
CiscoStealthwatch12, 13
CiscoAdvanced Malware Protection (AMP)1, 8
CiscoFirepower7, 12
CiscoASA Firewall9, 12
CiscoMeraki15
CiscoCisco Ironport7
CiscoUmbrella7
CiscoCisco Threat Response8
CiscoCisco Wireless15
CrowdstrikeFalcon1, 2, 5, 8
CybereasonCybereason1, 8
CylanceCylance Protect1, 5, 8
F5ASM12
FireEyeFireEye EMS1, 5, 8
FortinetFortigate7, 9, 12
IBMQRadar1, 6, 16
ImpervaSecureSphere13
InfoBloxInfoBlox1, 7
JuniperJuniper FW7, 9, 12
MalwarebytesMalwarebytes Anti-Malware1, 8
McAfeeMcAfee Web Gateway7
McAfeeMcAfee ePolicy Orchestrator1, 8
MicrosoftWindows Logs4, 14
MicrosoftWindows Active Directory4, 5, 14
MicrosoftAdvanced Threat Analytics13, 16
MistMist Wireless15
NokiaNetGuard12
OSSECOSSEC1, 8
Palo AltoPAN NGFW7, 9, 12
ProofPointProofPoint Protect7
QualysQualys VA1, 2, 3, 5, 11
RadwareRadware Appwall12
SolarwindsN-Central8
SophosSophos Central1, 5, 8
SuricataSuricata IDS12
SymantecSymantec Endpoint Protection1, 8
SymantecSymantec Data Loss Prevention13
TaxiiSTIX/Taxii
ThreatmetrixThreatmetrix
ThycoticSecret Server4
TippingpointTippingpoint IPS9, 12
TrapXTrapX
Trend MicroTrend Deep Security1, 8
VaronisDatAdvantage12
Vectra NetworksCognito8
WazuhWazuh1, 8
WebsenseWebsense7
WitFooPrecinct6, 16
zScalerzScaler NSS7