WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 1 million events per hour or can be deployed in a horizontally & vertically scaling architecture to allow for millions of events per second and long term retention and processing.

Deployment Video Guide

Deployment Options

WitFoo Precinct can be deployed in several methods.

Licenses

A 30 day trial license is automatically issued on all new appliance deployments when they launch. To obtain a trial license manually, please fill out this form. To obtain a production license, please request a quote and a WitFoo Partner will deliver the quote. Cloud hosted licensing on pay-as-you-go appliances are automatically billed to the cloud account. Pricing details are available on the pricing page for software only and the cloud page for SaaS offering

Appliance Nodes

WitFoo Precinct is deployed via appliance nodes. There is an All-in-One appliance that contains all three WitFoo Precinct components. Each node can handle up to 1 million records per hour when clustered (at optimal resource allocation and Core processing level.) Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.
  • All-in-One – Contains Investigative Engine (IE), Streamer and Data nodes. Rated up to 1M eph.
  • Investigative Engine (IE) Node – Provides the user interface and centralized configuration as well as distributed processing and analysis.
  • Streamer Node – Receives, parses, and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
    • SaaS Streamer requires more resources for CPU and RAM due to added Dispatcher functionality.
  • Data Node – Cassandra data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster.

Downloads

NodeCPURAMDiskOVA DownloadVHD Download
All-in-One (200GB Data)824GB300GBOVAarrow_downwardVHDarrow_downward
All-in-One (1TB Data)824GB1.3TBOVAarrow_downwardVHDarrow_downward
Data (200GB Data)412GB275GBOVAarrow_downwardVHDarrow_downward
Data (1TB Data)412GB1.1TBOVAarrow_downwardVHDarrow_downward
Streamer48GB115GBOVAarrow_downwardVHDarrow_downward
SaaS Streamer812GB115GBOVAarrow_downwardVHDarrow_downward
IE/Management412GB155GBOVAarrow_downwardVHDarrow_downward
Best Practice Note: Initial deployments that are created in a minimum horizontal cluster allow for simple expansion without the need to migrate data. For most enterprises, the configuration below allows for horizontal scale flexibility:
  • One (1) IE Node
  • One (1) Streamer Nodes for each transport type (syslog, NetFlow, Beats, Cloudwatch, Splunk)
  • Three (3) Data Nodes
For additional performance and scale guidance please refer to this training module: https://vimeo.com/277872139.

Appliance Deployment Instructions

It is highly recommended that appliances be thick provisioned to prevent performance and stability issues.For more appliance installation and configuration guidance see: https://community.witfoo.com/forums/forum/virtual-appliance-and-os/

Network Configuration

The operating system of WitFoo Precinct is Ubuntu 20.04 LTS. Before running ./register ensure networking is configured correctly. For reference see: https://ubuntu.com/server/docs/network-configurationIt is highly recommended that network configuration be handled through DHCP scope reservations.

Installation Walk-through

The Deployment Checklist can be accessed at: https://community.witfoo.com/forums/topic/witfoo-precinct-deployment-checklist/

Firewall Ports

All appliances must be able to reach the following external hosts on HTTPS (443/tcp): Additionally, the cluster communicates internally over the following ports.
ImageOpen Ports
All-in-OneSSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp)
IE NodeSSH (22/tcp), HTTPS (443/tcp), API (8080/tcp)
Streamer NodeSSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp)
Data NodeSSH (22/tcp), Cassandra (9042/tcp) Replication (7001/tcp)
Precinct Architecture

Precinct Architecture

Training

Detailed training on deployment, configuration and scale can be found at: https://community.witfoo.com/courses/ (free registration required.)

Security Products Currently Supported

VendorProductCritical Security ControlsGuide
AT&TAT&T Arris Gateway9 ,12
ActifioActifio1 ,2 ,3 ,5 ,11
AkamaiAkamai SIEM Integration12
Amazon Web ServicesCloudwatchGuide
Amazon Web ServicesCloudtrail
Amazon Web ServicesGuard Duty9 ,12
Amazon Web ServicesAWS VPC Security9 ,12
Amazon Web ServicesAWS Instance Backup10
ApacheApache Web Server
ApacheApache Tomcat
AudioCodesMediant Media Gateway9 ,12
AutomoxAutomox1 ,3 ,8
BRO IDSBRO IDS
BarracudaBarracuda WAF12
BarracudaBarracuda CloudGen Firewall9 ,12
BarracudaBarracuda ESS7
Beyond TrustBeyond Trust4 ,16
Carbon BlackCarbon Black Protect/Defend1 ,8
CentrifyCentrify4 ,16
CheckpointCheckpoint FW9 ,12Guide
CiscoFirepower9 ,12Guide
CiscoCisco Ironport7
CiscoCisco Threat Response1 ,8Guide
CiscoCisco Wireless15
CiscoCisco ISE1 ,4 ,9 ,14
CiscoCisco Network Operating System11
CiscoWeb Security Appliance (WSA)1 ,8
CiscoAccess Control Server (ACS)1 ,4 ,6 ,9 ,11 ,14
CiscoCisco Meraki Firewall9 ,12
CiscoPIX Firewall9 ,12
CiscoStealthwatch8Guide
CiscoAdvanced Malware Protection (AMP)1 ,8 ,3Guide
CiscoASA Firewall9 ,12Guide
CiscoMeraki9 ,12 ,15Guide
CiscoUmbrella1 ,7Guide
CiscoDuo1 ,4 ,9 ,14
CitrixNetscaler9 ,12
CrowdstrikeFalcon1 ,2 ,8 ,3Guide
CubroCubro Network Visibility
CyberArkCyberArk EPM4Guide
CyberArkCyberArk Vault4Guide
CybereasonCybereason1 ,8
CylanceCylance Protect1 ,8Guide
DattoDatto RMM1 ,8
Deep InstinctAdvanced Endpoint Security1 ,8
DruvaDruva4Guide
ESETESET Antivirus1 ,8
EricssonSecurity Manager1 ,8
F5ASM7 ,9 ,12Guide
FireEyeFireEye Email Security (EX Series)7
FireEyeFireEye Network Security (NX Series)1 ,8
FireEyeFireEye Endpoint Security (HX Series)1 ,8Guide
FireEyeFireEye Malware Analysis (AX Series)1 ,8
FireEyeFireEye File Protect (FX Series)13
FireEyeFireEye Central Management (CM Series)1 ,8
FortinetFortigate9 ,12
FortinetFortimail9 ,12
GigamonGigamon GigaVUE
GinGin Access Log
HAProxyHAProxy Load Balancer
HPEHPE Nimble13
HPEHPE EFS13
IBMQRadar6 ,16Guide
IBMIBM i Powertech SIEM Agent4 ,5 ,14
ImpervaSecureSphere13
InfoBloxInfoBlox1 ,7
InfocyteInfocyte Hunt1 ,8
JavaMelody ProjectJavaMelody
JuniperJuniper FW9 ,12
LinuxNameD
LinuxSSHD
Linuxfail2ban4
LinuxAuditd Logs4 ,5 ,14
LinuxLinux PAM4
MalwarebytesMalwarebytes Anti-Malware1 ,8
ManageEngineManageEngine ADManager4 ,14 ,16
McAfeeMcAfee Web Gateway9 ,12
McAfeeMcAfee ePolicy Orchestrator1 ,8Guide
McAfeeMcAfee Network Security9 ,12
McAfeeMcAfee Endpoint Security1 ,8
MicrosoftWindows Logs4 ,5 ,14Guide
MicrosoftWindows Active Directory4 ,5 ,14Guide
MicrosoftAdvanced Threat Analytics1 ,8
MicrosoftDHCP
MicrosoftAzure Security2 ,4 ,5 ,9 ,13 ,14 ,16Guide
MicrosoftGraph2 ,4 ,5 ,9 ,13 ,14 ,16Guide
MimecastMimecast7
MistMist Wireless15Guide
MojoMojo Wireless15
MultipleNetFlow v5, v7, v9Guide
MultipleIPFIX
MultipleCommon Event Format (CEF)
MultipleLog Event Extended Format (LEEF)
NXLogNXLog
NetscoutNetscout
NetskopeNetskope8Guide
NetwrixStealthbits4 ,13 ,16
NokiaNetGuard9 ,12
Noname SecurityNoname Security
OPNSenseOPNsense Firewall9 ,12
OSSECOSSEC1 ,8
OktaOkta4 ,16
OpenVPNOpenVPN9 ,12
POSTFIXPOSTFIX
PaesslerPRTG Network Monitor1 ,6
Palo AltoPAN NGFW9 ,12Guide
Palo AltoCortex XDR1 ,2 ,8Guide
ProofPointProtect7
ProofPointCASB7
PulsePulse Secure4 ,16
QualysVulnerability Management1 ,2 ,3 ,5 ,11Guide
RadwareRadware Appwall12
RoqosRoqos Core9 ,12
SSSD ProjectSystem Security Services Daemon (sssd)4
SecureCircleSecureCircle5 ,13 ,14
SecureworksTaegis VDR1 ,8
Security Onion Solutions, LLCSecurity Onion1 ,6 ,16 ,19
SenhaseguraSenhasegura PAM4
SentinelOneSentinelOne1 ,8
ShibbolethShibboleth IDP4 ,16
SolarwindsN-Central1 ,8
SonicWallSonicWall Firewall9 ,12Guide
SophosSophos Central1 ,8
SuricataSuricata IDS
SymantecSymantec Endpoint Protection1 ,8Guide
SymantecSymantec Data Loss Prevention13
SymantecProxySG1 ,7
TaniumTanium1 ,8
TaxiiSTIX/TaxiiGuide
TenableVulnerability Management1 ,2 ,3 ,5 ,11Guide
ThreatmetrixThreatmetrix
ThycoticSecret Server4 ,16Guide
TippingpointTippingpoint IPS9 ,12
TitanSpamTitan7
TrapXTrapX
Trend MicroTrend Deep Security1 ,8
TufinTufin SecureTrack9 ,11
UbiquityUnify Security Gateway9 ,12
VMWareVMWare VCenter2
VMWareVMWare NSX Firewall9 ,12
VaronisDatAdvantage13
Vectra NetworksCognito8
VyOSVyOS9 ,12
WazuhWazuh1 ,8Guide
WebsenseWebsense7 ,9 ,12
WitFooPrecinct1 ,6 ,16 ,19
WitFooWitFoo IOC Feed
ZixSecure Cloud7
ZixAppRiver7
carson_saintCarson & Saint1 ,2 ,3 ,5 ,11
linuxUncomplicated Firewall (UFW)9 ,12
linuxKernel5 ,6
linuxNetfilter ulogd9 ,12
pfSensepfSense Firewall9 ,12Guide
zScalerzScaler NSS7 ,9 ,12Guide