Technical Details & Downloads

WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 10,000 events per second or can be deployed in a horizontally & vertically scaling architecture to allow for millions of events per second and long term retention and processing.

Appliance Nodes

WitFoo Precinct is deployed via appliance nodes. There is an All-in-One appliance that contains all three WitFoo Precinct components. Each node can handle up to 50,000 events per second when clustered (at optimal resource allocation and Core processing level.) Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.

  • All-in-One – Contains Investigative Engine (IE), Streamer and Data nodes. Rated up to 10k eps.
  • Investigative Engine (IE) Node – Provides the user interface and centralized configuration as well as distributed processing and analysis.
  • Streamer Node – Receives, parses and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
  • Data Node – Cassandra data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster.

Downloads

Node CPU RAM Disk OVA Download VHD Download
All-in-One (200GB Data) 8 24GB 300GB OVA VHD
All-in-One (1TB Data) 8 24GB 1.3TB OVA VHD
Data (200GB Data) 4 12GB 275GB OVA VHD
Data (1TB Data) 4 12GB 1.1TB OVA VHD
Streamer 4 8GB 100GB OVA VHD
IE/Management 4 8GB 60GB OVA VHD

Best Practice Note: Initial deployments that are created in a minimum horizontal cluster allow for simple expansion without the need to migrate data. For most enterprises, the configuration below allows for horizontal scale flexibility:

  • One (1) IE Node
  • One (1) Streamer Nodes for each transport type (syslog, NetFlow, Beats, Cloudwatch, Splunk)
  • Three (3) Data Nodes

For additional performance and scale guidance please refer to this training module: https://vimeo.com/277872139.

Appliance Deployment Instructions

It is highly recommended that appliances be thick provisioned to prevent performance and stability issues.

For more appliance installation and configuration guidance see: https://community.witfoo.com/forums/forum/virtual-appliance-and-os/

Network Configuration

The operating system of WitFoo Precinct is Ubuntu 18.04 LTS. Before running ./register ensure networking is configured correctly. For reference see: https://ubuntu.com/server/docs/network-configuration

It is highly recommended that network configuration be handled through DHCP scope reservations. 

Installation Walk-through

The Deployment Checklist can be accessed at: https://community.witfoo.com/forums/topic/witfoo-precinct-deployment-checklist/

Firewall Ports

All appliances must be able to reach the following external hosts on HTTPS (443/tcp):

Additionally, the cluster communicates internally over the following ports.

Image Open Ports
All-in-One SSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp)
IE Node SSH (22/tcp), HTTPS (443/tcp), API (8080/tcp)
Streamer Node SSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp)
Data Node SSH (22/tcp), Cassandra (9042/tcp) Replication (7001/tcp)
Precinct Architecture

Precinct Architecture

 

Training

Detailed training on deployment, configuration and scale can be found at: https://community.witfoo.com/courses/ (free registration required.)

Security Products Currently Supported

VendorProductCritical Security Controls
Amazon Web ServicesCloudwatch
Amazon Web ServicesCloudtrail
Amazon Web ServicesGuard Duty1, 2, 4, 8, 12, 14
ApacheApache Web Server
BRO IDSBRO IDS
BarracudaBarracuda WAF
Carbon BlackCarbon Black Protect/Defend1, 2, 5, 8
CentrifyCentrify4
CheckpointCheckpoint FW9, 12
CiscoStealthwatch12, 13
CiscoAdvanced Malware Protection (AMP)1, 8
CiscoFirepower7, 12
CiscoASA Firewall9, 12
CiscoMeraki15
CiscoCisco Ironport7
CiscoUmbrella7
CiscoCisco Threat Response8
CiscoCisco Wireless15
CitrixNetscaler2
CrowdstrikeFalcon1, 2, 5, 8
CybereasonCybereason1, 8
CylanceCylance Protect1, 5, 8
EricssonSecurity Manager1, 2, 8
F5ASM12
FireEyeFireEye EMS1, 5, 8
FortinetFortigate7, 9, 12
GigamonApplication Metadata
GinGin Access Log
IBMQRadar1, 6, 16
ImpervaSecureSphere13
InfoBloxInfoBlox1, 7
JuniperJuniper FW7, 9, 12
LinuxNameD
LinuxSSHD
MalwarebytesMalwarebytes Anti-Malware1, 8
McAfeeMcAfee Web Gateway7
McAfeeMcAfee ePolicy Orchestrator1, 8
MicrosoftWindows Logs4, 14
MicrosoftWindows Active Directory4, 5, 14
MicrosoftAdvanced Threat Analytics13, 16
MicrosoftDHCP
MistMist Wireless15
MojoMojo Wireless15
MultipleNetFlow v5, v7, v9
MultipleIPFIX
MultipleCommon Event Format (CEF)
MultipleLog Event Extended Format (LEEF)
NetscoutNetscout
NokiaNetGuard12
OSSECOSSEC1, 8
POSTFIXPOSTFIX
Palo AltoPAN NGFW7, 9, 12
ProofPointProofPoint Protect7
QualysQualys VA1, 2, 3, 5, 11
RadwareRadware Appwall12
SenhaseguraSenhasegura PAM4
SolarwindsN-Central8
SonicWallSonicWall Firewall9, 12
SophosSophos Central1, 5, 8
SuricataSuricata IDS12
SymantecSymantec Endpoint Protection1, 8
SymantecSymantec Data Loss Prevention13
TaxiiSTIX/Taxii
ThreatmetrixThreatmetrix
ThycoticSecret Server4
TippingpointTippingpoint IPS9, 12
TitanSpamTitan7
TrapXTrapX
Trend MicroTrend Deep Security1, 8
VaronisDatAdvantage12
Vectra NetworksCognito8
WazuhWazuh1, 8
WebsenseWebsense7
WitFooPrecinct6, 16
ZixZix Email7
pfSensepfSense Firewall9, 12
zScalerzScaler NSS7