Technical Specifications

WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 10,000 events per second or can be deployed in a horizontally & vertically scaling architecture to allow for millions of events per second and long term retention and processing.

Appliance Deployment Instructions

For more appliance installation and configuration guidance see: https://community.witfoo.com/forums/forum/virtual-appliance-and-os/

Detailed training on deployment, configuration and scale can be found at: https://community.witfoo.com/courses/ (free registration required.)

Installation Walk-through

Appliance Nodes

WitFoo Precinct is deployed via appliance nodes. There is a small, medium and large option for an All-in-One appliance that contains all three WitFoo Precinct components. Each node can handle up to 50,000 events per second when clustered (at optimal resource allocation and Core processing level.) Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.

  • Primary Node – Contains Investigative Engine (IE), Streamer and Data nodes. Rated up to 10k eps.
  • Investigative Engine (IE) Node – Provides the user interface and centralized configuration as well as distributed processing and analysis.
  • Streamer Node – Receives, parses and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
  • Data Node – MySQL NDB data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster. Custom disk sizes can be created using the guidance outline on the WitFoo Community here: https://community.witfoo.com/forums/topic/creating-custom-disk-size-for-data-node-vm/
Node CPU (min) RAM (min) OVA Download AWS min/optimal
Primary 6 12GB**** OVA c5.2xlarge / c5.18xlarge
IE Node 2** 2GB OVA c5.xlarge / c5.4xlarge
Streamer Node 2*** 4GB OVA c5.xlarge / c5.4xlarge
Data Node 4** 6GB**** OVA***** c5.2xlarge / c5.18xlarge

Note: Instances should have 10,000 IOPS (min) to 50,000 IOPS (ideal) configured for disk access on Primary Node. Provisioned IOPS SSD recommended for AWS.

* 50GB on Primary node is only recommended for short term use (such as security assessments or trials.)

** Baselines/Machine Learning require 8x CPU of Core processing

*** 2 to 4 CPU’s for each data stream types (syslog, Splunk, NetFlow, ElasticBeats, etc.) recommended.

**** Increasing RAM reduces disk input/output and improves query times. The recommended RAM for storage is as follows:

  • 50GB & 200GB Disk: 8GB RAM
  • 1TB Disk: 16GB RAM
  • 8TB Disk: 64GB RAM

***** All Data nodes are required to be the same size in a deployment. In cases where different sizes are used, all nodes will use the smallest node’s disk size for retention.

Best Practice Note: Initial deployments that are created in a minimum horizontal cluster allow for simple expansion without the need to migrate data. For most enterprises, the configuration below allows for horizontal scale flexibility:

  • One (1) IE Node
  • One (1) Streamer Nodes
  • Two (2) Data Nodes

For additional performance and scale guidance please refer to this training module: https://vimeo.com/277872139.

Vertical Scale Notes: WitFoo Precinct provides for extreme vertical scale in addition to horizontal scale by dynamically & elastically adjusting to system resources. Nodes have been tested and are supported up to 64CPU, 128GB RAM and 10TB of disk per node. Network Links up to 10Gbps are also supported.

Processing Levels: Precinct runs at 3 different Processing Levels: Core, Relationships and Baselines/Machine Learning.

  1. Core: Basic processing with minimum CPU requirements. Includes all Tool, Operations and Readiness Reporting and full alarm processing.
  2. Relationships: Establishes graph relationships with all artifacts. Requires multiple Data and Management Nodes. Adds ability to filter lead rules on host, user and file attributes.
  3. Baselines: Machine Learning and baselines on all entities. Requires multiple Data and Management Nodes. Adds UEBA and NBAD detection.

CPU allocation is critical for higher processing levels. Level 2 requires 5x the cycles as Level 1 and Level 3 requires 25x of Level 1. Vertical and Horizontal Scale of Investigative Engine (IE) Nodes are highly recommend for Levels 2 & 3.

To request a trial license, complete this form.

Image Open Ports
All-in-One SSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp)
IE Node SSH (22/tcp), HTTPS (443/tcp), API (8080/tcp)
Streamer Node SSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp)
Data Node SSH (22/tcp), MySQLD (33060/tcp) MySQL Data replication (2202/tcp), MySQL Managment (1186/tcp)
WitFoo Deployment Layout

WitFoo Deployment Layout

Integrations

Precinct accepts syslog and NetFlow from the organization and connects to security and orchestration tool API.

Tool Syslog Field Extraction Network Communications User Sessions API Lab Insights
All Syslog Yes
Common Event Format (CEF) Yes Yes Yes Yes
NetFlow v5, v9 Yes Yes Yes
NSEL, jFlow, cFlow Yes Yes Yes
QRadar Yes Yes Yes Yes Yes Yes
Splunk Yes Yes Yes Yes Yes Yes
Cisco AMP Yes Yes Yes Yes Yes
CarbonBlack/Bit9 Protect Yes Yes Yes Yes
CarbonBlack/Bit9 Respond Yes Yes Yes Yes
Crowdstrike Yes Yes Yes Yes Yes
Symantec SEP Yes Yes Yes Yes Yes
McAfee ePo Yes Yes Yes Yes Yes
TrapX Yes Yes Yes Yes
Cisco ASA Yes Yes Yes Yes Yes
Palo Alto NGFW Yes Yes Yes Yes
Checkpoint FW Yes Yes Yes Yes
Cisco Meraki Yes Yes Yes Yes
Cisco ISE Yes Yes Yes Yes
Cisco Stealthwatch Yes Yes Yes Yes
Tippingpoint FW Yes Yes Yes
STIX/TAXII Yes Yes Yes
Winlogbeats Yes Yes Yes

Would you like to see a new integration? Create a Feature Request to see it in an upcoming release.For details on configuration and integration see: https://vimeo.com/277807076.

Data Collection Architecture