WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 10,000 events per second or can be deployed in a horizontally & vertically scaling architecture to allow for millions of events per second and long term retention and processing.
Appliance Deployment Instructions
- VMWare ESX
- Virtualbox
- Amazon Web Services
- Google Cloud
- Azure
- Oracle Cloud
- Rackspace or other Cloud Hosting
- Ubuntu 18.04 LTS (Virtual or Physical)
For more appliance installation and configuration guidance see: https://community.witfoo.com/forums/forum/virtual-appliance-and-os/
Detailed training on deployment, configuration and scale can be found at: https://community.witfoo.com/courses/ (free registration required.)
Installation Walk-through
Appliance Nodes
WitFoo Precinct is deployed via appliance nodes. There is a small, medium and large option for an All-in-One appliance that contains all three WitFoo Precinct components. Each node can handle up to 50,000 events per second when clustered (at optimal resource allocation and Core processing level.) Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.
- Investigative Engine (IE) Node – Provides the user interface and centralized configuration as well as distributed processing and analysis.
- Streamer Node – Receives, parses and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
- Data Node – NoSQL data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster. Custom disk sizes can be created using the guidance outline on the WitFoo Community here: https://community.witfoo.com/forums/topic/creating-custom-disk-size-for-data-node-vm/
- All-in-One – Contains Investigative Engine (IE), Streamer and Data nodes. Rated up to 10k eps.
| Node | CPU (min/optimal) | RAM | Disk | OVA Download | AWS min/optimal |
|---|---|---|---|---|---|
| All-in-One (Small)* | 6 / 12 | 16GB | 200GB | Medium | t2.large / i2.2xlarge |
| All-in-One (Large)* | 6 / 12 | 16GB | 1TB | Large | t2.medium / c5d.2xlarge |
| IE Node | 1 / 8** | 6GB | 50GB | Small | t2.medium / c5d.2xlarge |
| Streamer Node | 1 / 8*** | 8GB | 50GB | Small | c4.2xlarge / c5d.2xlarge |
| Data Node | 4 / 8** | 8GB | 200GB or 1TB | Medium or Large | t2.large / i2.2xlarge |
* All-in-One only supports Core Processing level
** CPU Minimums required for Baselines/Machine Learning
*** Streamer CPU’s Required when processing multiple data stream types (syslog, Splunk, NetFlow, ElasticBeats, etc.). It is recommended to use a single Streamer node per data stream type.
Best Practice Note: Initial deployments that are created in a minimum horizontal cluster allow for simple expansion without the need to migrate data. For most enterprises, the configuration below allows for horizontal scale flexibility:
- One (1) IE Node
- One (1) Streamer Nodes
- Two (2) Data Nodes
For additional performance and scale guidance please refer to this training module: https://vimeo.com/277872139.
Vertical Scale Notes: WitFoo Precinct provides for extreme vertical scale in addition to horizontal scale by dynamically & elastically adjusting to system resources. Nodes have been tested and are supported up to 64CPU, 128GB RAM and 10TB of disk per node. Network Links up to 10Gbps are also supported.
Processing Levels: Precinct runs at 3 different Processing Levels: Core, Relationships and Baselines/Machine Learning.
- Core: Basic processing with minimum CPU requirements. Includes all Tool, Operations and Readiness Reporting and full alarm processing.
- Relationships: Establishes graph relationships with all artifacts. Requires multiple Data and Management Nodes. Adds ability to filter lead rules on host, user and file attributes.
- Baselines: Machine Learning and baselines on all entities. Requires multiple Data and Management Nodes. Adds UEBA and NBAD detection.
CPU allocation is critical for higher processing levels. Level 2 requires 5x the cycles as Level 1 and Level 3 requires 25x of Level 1. Vertical and Horizontal Scale of Investigative Engine (IE) Nodes are highly recommend for Levels 2 & 3.
To request a trial license, complete this form.
| Image | Open Ports |
|---|---|
| All-in-One | SSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp) |
| IE Node | SSH (22/tcp), HTTPS (443/tcp), MySQL Management (1186/tcp) |
| Streamer Node | SSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp) |
| Data Node | SSH (22/tcp), MySQLD (33060/tcp) MySQL Data (2202/tcp), ElasticAPI(9200/tcp), Replication(9300/tcp) |
Deployment Communication
Integrations
Precinct accepts syslog and NetFlow from the organization and connects to security and orchestration tool API.
| Tool | Syslog | Field Extraction | Network Communications | User Sessions | API | Lab Insights |
|---|---|---|---|---|---|---|
| All Syslog | Yes | – | – | – | – | – |
| Common Event Format (CEF) | Yes | Yes | Yes | Yes | – | – |
| NetFlow v5, v9 | – | Yes | Yes | – | – | Yes |
| NSEL, jFlow, cFlow | – | Yes | Yes | – | – | Yes |
| QRadar | Yes | Yes | Yes | Yes | Yes | Yes |
| Splunk | Yes | Yes | Yes | Yes | Yes | Yes |
| Cisco AMP | – | Yes | Yes | Yes | Yes | Yes |
| CarbonBlack/Bit9 Protect | – | Yes | – | Yes | Yes | Yes |
| CarbonBlack/Bit9 Respond | – | Yes | – | Yes | Yes | Yes |
| Crowdstrike | – | Yes | Yes | Yes | Yes | Yes |
| Symantec SEP | Yes | Yes | Yes | Yes | – | Yes |
| McAfee ePo | Yes | Yes | Yes | Yes | – | Yes |
| TrapX | Yes | Yes | Yes | – | – | Yes |
| Cisco ASA | Yes | Yes | Yes | Yes | – | Yes |
| Palo Alto NGFW | Yes | Yes | Yes | – | – | Yes |
| Checkpoint FW | Yes | Yes | Yes | – | – | Yes |
| Cisco Meraki | Yes | Yes | Yes | – | – | Yes |
| Cisco ISE | Yes | Yes | Yes | – | – | Yes |
| Cisco Stealthwatch | – | Yes | Yes | – | Yes | Yes |
| Tippingpoint FW | Yes | Yes | – | – | – | Yes |
| STIX/TAXII | – | Yes | – | – | Yes | Yes |
| Winlogbeats | – | Yes | – | Yes | – | Yes |
Would you like to see a new integration? Create a Feature Request to see it in an upcoming release.For details on configuration and integration see: https://vimeo.com/277807076.
