WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 50,000 events per second or can be deployed in a horizontally scaling architecture to allow for millions of events per second and long term retention and processing.
VM Deployment Instructions
Virtual Appliances
WitFoo Precinct is deployed via virtual machines. There is a small and large option for an All-in-One appliance that contains all four WitFoo Precinct components.Each node can handle up to 200,000 events per second when clustered. Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.
- Management Node – Provides the user interface and centralized configuration.
- Processing Node – Receives, parses and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
- Data Node – NoSQL data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster.
- All-in-One – Contains Management, Processing and Data nodes. Rated up to 10k eps.
| Node | CPU (min/optimal) | RAM (min/optimal) | Disk | Appliance | AWS min/optimal |
|---|---|---|---|---|---|
| All-in-One (Small) | 2 / 6 | 2GB / 8GB | 200GB | Small | t2.large / i2.2xlarge |
| All-in-One (Large) | 2 / 6 | 2GB / 8GB | 1TB | Large | t2.medium / c5d.2xlarge |
| Management Node | 1 / 6 | 2GB / 4GB | 200GB | Small | t2.medium / c5d.2xlarge |
| Processing Node | 2 / 8 | 4GB / 8GB | 200GB | Small | c4.2xlarge / c5d.2xlarge |
| Data Node | 2 / 8 | 2GB / 8GB | 200GB or 1TB | Small or Large | t2.large / i2.2xlarge |
Best Practice Note: All-in-One appliances are not recommended for production deployments. Minimum deployment nodes are:
- One (1) Management Node
- Two (2) Processing Nodes
- Two (2) Data Nodes
For additional performance and scale guidance please refer to this training module: https://vimeo.com/277872139.
To request a trial license, complete this form.
| Image | Open Ports |
|---|---|
| All-in-One | SSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp) |
| Management Node | SSH (22/tcp), HTTPS (443/tcp), MySQL Management (1186/tcp) |
| Processing Node | SSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp) |
| Data Node | SSH (22/tcp), MySQLD (33060/tcp) MySQL Data (2202/tcp), ElasticAPI(9200/tcp), Replication(9300/tcp) |
Precinct Architecture
Integrations
Precinct accepts syslog and NetFlow from the organization and connects to security and orchestration tool API.
| Tool | Syslog | Field Extraction | Network Communications | User Sessions | API | Lab Insights |
|---|---|---|---|---|---|---|
| All Syslog | Yes | – | – | – | – | – |
| Common Event Format (CEF) | Yes | Yes | Yes | Yes | – | – |
| NetFlow v5, v9 | – | Yes | Yes | – | – | Yes |
| NSEL, jFlow, cFlow | – | Yes | Yes | – | – | Yes |
| QRadar | Yes | Yes | Yes | Yes | Yes | Yes |
| Splunk | Yes | Yes | Yes | Yes | Yes | Yes |
| Cisco AMP | – | Yes | Yes | Yes | Yes | Yes |
| CarbonBlack/Bit9 Protect | – | Yes | – | Yes | Yes | Yes |
| CarbonBlack/Bit9 Respond | – | Yes | – | Yes | Yes | Yes |
| Crowdstrike | – | Yes | Yes | Yes | Yes | Yes |
| Symantec SEP | Yes | Yes | Yes | Yes | – | Yes |
| McAfee ePo | Yes | Yes | Yes | Yes | – | Yes |
| TrapX | Yes | Yes | Yes | – | – | Yes |
| Cisco ASA | Yes | Yes | Yes | Yes | – | Yes |
| Palo Alto NGFW | Yes | Yes | Yes | – | – | Yes |
| Checkpoint FW | Yes | Yes | Yes | – | – | Yes |
| Cisco Meraki | Yes | Yes | Yes | – | – | Yes |
| Cisco ISE | Yes | Yes | Yes | – | – | Yes |
| Cisco Stealthwatch | – | Yes | Yes | – | Yes | Yes |
| Tippingpoint FW | Yes | Yes | – | – | – | Yes |
| STIX/TAXII | – | Yes | – | – | Yes | Yes |
| Winlogbeats | – | Yes | – | Yes | – | Yes |
Would you like to see a new integration? Create a Feature Request to see it in an upcoming release.For details on configuration and integration see: https://vimeo.com/277807076.
