Technical Specifications

WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 10,000 events per second or can be deployed in a horizontally & vertically scaling architecture to allow for millions of events per second and long term retention and processing.

Appliance Deployment Instructions

• VMWare ESX
• Virtualbox
• Amazon Web Services
• Google Cloud
• Azure
• Oracle Cloud
• Rackspace or other Cloud Hosting
• Ubuntu 18.04 LTS (Virtual or Physical)

For more appliance installation and configuration guidance see: https://community.witfoo.com/forums/forum/virtual-appliance-and-os/

Detailed training on deployment, configuration and scale can be found at: https://community.witfoo.com/courses/ (free registration required.)

Installation Walk-through

Appliance Nodes

WitFoo Precinct is deployed via appliance nodes. There is a small, medium and large option for an All-in-One appliance that contains all three WitFoo Precinct components. Each node can handle up to 50,000 events per second when clustered (at optimal resource allocation and Core processing level.) Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.

• Primary Node – Contains Investigative Engine (IE), Streamer and Data nodes. Rated up to 10k eps.
• Investigative Engine (IE) Node – Provides the user interface and centralized configuration as well as distributed processing and analysis.
• Streamer Node – Receives, parses and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
• Data Node – MySQL NDB data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster. Custom disk sizes can be created using the guidance outline on the WitFoo Community here: https://community.witfoo.com/forums/topic/creating-custom-disk-size-for-data-node-vm/

Node	CPU (min)	RAM (min)	OVA Download	AWS min/optimal
Primary	6	12GB****	50GB*, 200GB, 1TB, 8TB	c5.2xlarge / c5.18xlarge
IE Node	2**	2GB	50GB	c5.xlarge / c5.4xlarge
Streamer Node	2***	4GB	50GB	c5.xlarge / c5.4xlarge
Data Node	4**	6GB****	200GB, 1TB, 8TB*****	c5.2xlarge / c5.18xlarge

* 50GB on Primary node is only recommended for short term use (such as security assessments or trials.)

** Baselines/Machine Learning require 8x CPU of Core processing

*** 2 to 4 CPU’s for each data stream types (syslog, Splunk, NetFlow, ElasticBeats, etc.) recommended.

**** Increasing RAM reduces disk input/output and improves query times. The recommended RAM for storage is as follows:

• 50GB & 200GB Disk: 8GB RAM
• 1TB Disk: 16GB RAM
• 8TB Disk: 64GB RAM

***** All Data nodes are required to be the same size in a deployment. In cases where different sizes are used, all nodes will use the smallest node’s disk size for retention.

Best Practice Note: Initial deployments that are created in a minimum horizontal cluster allow for simple expansion without the need to migrate data. For most enterprises, the configuration below allows for horizontal scale flexibility:

• One (1) IE Node
• One (1) Streamer Nodes
• Two (2) Data Nodes

For additional performance and scale guidance please refer to this training module: https://vimeo.com/277872139.

Vertical Scale Notes: WitFoo Precinct provides for extreme vertical scale in addition to horizontal scale by dynamically & elastically adjusting to system resources. Nodes have been tested and are supported up to 64CPU, 128GB RAM and 10TB of disk per node. Network Links up to 10Gbps are also supported.

Processing Levels: Precinct runs at 3 different Processing Levels: Core, Relationships and Baselines/Machine Learning.

1. Core: Basic processing with minimum CPU requirements. Includes all Tool, Operations and Readiness Reporting and full alarm processing.
2. Relationships: Establishes graph relationships with all artifacts. Requires multiple Data and Management Nodes. Adds ability to filter lead rules on host, user and file attributes.
3. Baselines: Machine Learning and baselines on all entities. Requires multiple Data and Management Nodes. Adds UEBA and NBAD detection.

CPU allocation is critical for higher processing levels. Level 2 requires 5x the cycles as Level 1 and Level 3 requires 25x of Level 1. Vertical and Horizontal Scale of Investigative Engine (IE) Nodes are highly recommend for Levels 2 & 3.

To request a trial license, complete this form.

Image	Open Ports
All-in-One	SSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp)
IE Node	SSH (22/tcp), HTTPS (443/tcp), API (8080/tcp)
Streamer Node	SSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp)
Data Node	SSH (22/tcp), MySQLD (33060/tcp) MySQL Data replication (2202/tcp), MySQL Managment (1186/tcp)

Integrations

Precinct accepts syslog and NetFlow from the organization and connects to security and orchestration tool API.

Tool	Syslog	Field Extraction	Network Communications	User Sessions	API	Lab Insights
All Syslog	Yes	–	–	–	–	–
Common Event Format (CEF)	Yes	Yes	Yes	Yes	–	–
NetFlow v5, v9	–	Yes	Yes	–	–	Yes
NSEL, jFlow, cFlow	–	Yes	Yes	–	–	Yes
QRadar	Yes	Yes	Yes	Yes	Yes	Yes
Splunk	Yes	Yes	Yes	Yes	Yes	Yes
Cisco AMP	–	Yes	Yes	Yes	Yes	Yes
CarbonBlack/Bit9 Protect	–	Yes	–	Yes	Yes	Yes
CarbonBlack/Bit9 Respond	–	Yes	–	Yes	Yes	Yes
Crowdstrike	–	Yes	Yes	Yes	Yes	Yes
Symantec SEP	Yes	Yes	Yes	Yes	–	Yes
McAfee ePo	Yes	Yes	Yes	Yes	–	Yes
TrapX	Yes	Yes	Yes	–	–	Yes
Cisco ASA	Yes	Yes	Yes	Yes	–	Yes
Palo Alto NGFW	Yes	Yes	Yes	–	–	Yes
Checkpoint FW	Yes	Yes	Yes	–	–	Yes
Cisco Meraki	Yes	Yes	Yes	–	–	Yes
Cisco ISE	Yes	Yes	Yes	–	–	Yes
Cisco Stealthwatch	–	Yes	Yes	–	Yes	Yes
Tippingpoint FW	Yes	Yes	–	–	–	Yes
STIX/TAXII	–	Yes	–	–	Yes	Yes
Winlogbeats	–	Yes	–	Yes	–	Yes

Would you like to see a new integration? Create a Feature Request to see it in an upcoming release.For details on configuration and integration see: https://vimeo.com/277807076.