Technical Specifications

WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 10,000 events per second or can be deployed in a horizontally & vertically scaling architecture to allow for millions of events per second and long term retention and processing.

Appliance Deployment Instructions

For more appliance installation and configuration guidance see: https://community.witfoo.com/forums/forum/virtual-appliance-and-os/

Detailed training on deployment, configuration and scale can be found at: https://community.witfoo.com/courses/ (free registration required.)

Installation Walk-through

Appliance Nodes

WitFoo Precinct is deployed via appliance nodes. There is an All-in-One appliance that contains all three WitFoo Precinct components. Each node can handle up to 50,000 events per second when clustered (at optimal resource allocation and Core processing level.) Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.

  • All-in-One – Contains Investigative Engine (IE), Streamer and Data nodes. Rated up to 10k eps.
  • Investigative Engine (IE) Node – Provides the user interface and centralized configuration as well as distributed processing and analysis.
  • Streamer Node – Receives, parses and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
  • Data Node – Cassandra data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster.
Node CPU RAM Disk OVA Download AWS min/optimal
All-in-One 8 16GB 1.2TB OVA c5.2xlarge / c5.18xlarge
IE Node 4 8GB 130GB OVA c5.xlarge / c5.4xlarge
Streamer Node 4 8GB 130GB OVA c5.xlarge / c5.4xlarge
Data Node 4 8GB 1.2TB OVA c5.xlarge / c5.4xlarge

Best Practice Note: Initial deployments that are created in a minimum horizontal cluster allow for simple expansion without the need to migrate data. For most enterprises, the configuration below allows for horizontal scale flexibility:

  • One (1) IE Node
  • One (1) Streamer Nodes
  • Three (3) Data Nodes

For additional performance and scale guidance please refer to this training module: https://vimeo.com/277872139.

To request a trial license, complete this form.

Image Open Ports
All-in-One SSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp)
IE Node SSH (22/tcp), HTTPS (443/tcp), API (8080/tcp)
Streamer Node SSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp)
Data Node SSH (22/tcp), Cassandra (9042/tcp) Replication (7001/tcp)
Precinct Architecture

Precinct Architecture

 

Security Products Currently Supported

VendorProduct
BRO IDSBRO IDS
Carbon BlackCarbon Black Protect/Defend
CentrifyCentrify
CheckpointCheckpoint FW
CiscoStealthwatch
CiscoAdvanced Malware Protection (AMP)
CiscoFirepower
CiscoASA Firewall
CiscoMeraki
CiscoCisco Ironport
CiscoUmbrella
CiscoCisco Threat Response
CrowdstrikeFalcon
CybereasonCybereason
CylanceCylance Protect
F5ASM
FireEyeFireEye EMS
FortinetFortigate
IBMQRadar
ImpervaSecureSphere
InfoBloxInfoBlox
MalwarebytesMalwarebytes Anti-Malware
McAfeeMcAfee Web Gateway
McAfeeMcAfee ePolicy Orchestrator
MicrosoftWindows Logs
MicrosoftWindows Active Directory
MicrosoftAdvanced Threat Analytics
MistMist Wireless
NokiaNetGuard
OSSECOSSEC
Palo AltoPAN NGFW
ProofPointProofPoint Protect
QualysQualys VA
RadwareRadware Appwall
SolarwindsN-Central
SophosSophos Central
SuricataSuricata IDS
SymantecSymantec Endpoint Protection
SymantecSymantec Data Loss Prevention
TaxiiSTIX/Taxii
ThreatmetrixThreatmetrix
ThycoticSecret Server
TippingpointTippingpoint IPS
TrapXTrapX
Trend MicroTrend Deep Security
VaronisDatAdvantage
Vectra NetworksCognito
WazuhWazuh
WebsenseWebsense
WitFooPrecinct
zScalerzScaler NSS