Azure Configuration Recommendations

This topic contains the minimum Azure VM configuration settings recommended for the NetWitness (NW) virtual stack components.

  • VM:

    • The recommended settings in the NetWitness component VM tables below were calculated under the following conditions.

      • Ingestion rates of 15,000 EPS and 1.5GBps were used.
      • All the components were integrated.
      • The Log stream included a Log Decoder, Concentrator, and Archiver.
      • The Packet stream included a Network Decoder and Concentrator.
      • Incident Management was receiving alerts from the Reporting Engine and Event Stream Analysis.
      • The background load included reports, charts, alerts, investigation, and respond.
      • The default partition size of Azure VM hosts for /root is 8GB and for /var/netwitness is 15GB. These partitions can be increased to a minimum of 40GB. For more information see, Updating Partition Size.
  • VHD (Storage)
    For more information, see Storage Guide for NetWitness® Platform XDR 12.1 on how to increase the number of volumes based on your storage requirements using the NetWitness Sizing & Scoping Calculator.

    Azure Instance Recommendations

    The following table shows the storage recommendations for NetWitness Azure VMs.

    Azure Image Type Rate (EPS) CPU (Cores) RAM (GB) Instance Type (Azure Name)
    NW Server Does not apply 16 112

    Standard D14_v2

    Log Decoder 15,000 32 128 Standard D32s_v3
    Log Concentrator 15,000 16 112

    Standard DS14_v2

    Archiver 15,000 16 112 Standard D14_v2
    Log Collector 15,000 8 32 Standard D8s_v3
    UEBA* Does not apply 16 112

    Standard D14_v2

Note: *If your log collection volume is low, NetWitness recommends you to deploy UEBA only on a virtual host. If you have a moderate to high log collection volume, NetWitness recommends you to deploy UEBA on the physical host as described under "NetWitness UEBA Host Hardware Specifications" in the Physical Host Installation Guide.

Refer to the Storage Guide for NetWitness Platform for additional storage information.

Packet Stream Solutions

The following tables show Instance recommendations for Different EPS rates for Packet stream.

Note: NetWitness Decoder is supported with Gigamon Packet broker from version 11.7.x or higher on Azure Cloud environment.

Decoder - Gigamon Solution

Azure Image Type Rate (Mbps) CPU (Cores) RAM (GB) Instance Type (Azure Name) Accelerated Networking Enabled
Decoder 500 16 64

Standard D16ds_v4

Yes
Decoder 1000 16 64 Standard D16ds_v4 Yes
Decoder 1500 32 128

Standard D32ds_v4

Yes

Rate (Mbps) Volumes Volume Type IOPS / Baseline Throughput
500 index, session, meta RAID5 of minimum 3 P15 Premium SSD Disks 80MB/s
500 packet RAID5 of minimum 3 P15 Premium SSD Disks 80MB/s
1000 index, session, meta RAID5 of minimum 3 P20 Premium SSD Disks 170MB/s
1000 packet RAID5 of minimum 3 P30 Premium SSD Disks 170MB/s
1500 index, session, meta RAID5 of minimum 3 P40 Premium SSD Disks 300MB/s
1500 packet RAID5 of minimum 3 P40 Premium SSD Disks 300MB/s

Concentrator - Gigamon Solution

Azure Image Type Rate (Mbps) CPU (Cores) RAM (GB) Instance Type (Azure Name) Accelerated Networking Enabled
Packet Concentrator 500 16 64

Standard D16ds_v4

No
Packet Concentrator 1000 16 114 Standard DS14_v2 No
Packet Concentrator 1500 16 114

Standard DS14_v2

No

Note: For Packet Concentrator with 500Mbps rate, if the query load on the environment is on the higher side (max concurrent queries > 5), it is recommended to use Standard DS14_v2 Instance.

Rate (Mbps) Volumes Volume Type IOPS / Baseline Throughput
500 index RAID5 of minimum 3 P30 Premium SSD Disks 10000
500 session, meta RAID5 of minimum 3 P15 Premium SSD Disks 80MB/s
1000 index RAID5 of minimum 3 P40 Premium SSD Disks 12000
1000 session, meta RAID5 of minimum 3 P20 Standard SSD Disks 170MB/s
1500 index RAID5 of minimum 3 P40 Premium SSD Disks 15000
1500 session, meta RAID5 of minimum 3 P40 Premium SSD Disks 300MB/s

ESA and Context Hub

The following table shows Instance recommendations for Different EPS rates for ESA.

Rate (EPS) CPU (Cores) RAM (GB) Instance Type Accelerated Networking Enabled
15,000 16 112

Standard DS14_v2

No

50,000 20 140 Standard DS15_v2 Yes
100,000 32 256

Standard E32s_v3

Yes

Updating Partition Size

You can increase the partition size to a minimum of 40GB each.

After adding additional required disk size to the Azure VM, you can extend the partition sizes using the following commands:

  1. SSH to the VM, login as a root user and execute the following command to view the existing partitions along with the new partition added.
    lsblk
  2. Check the name of the new partition. Eg: sdc

pvcreate /dev/sdc -y

vgextend netwitness_vg00 /dev/sdc -y

lvextend -L 40G /dev/netwitness_vg00/root -y

xfs_growfs /dev/netwitness_vg00/root

lvextend -L 40G /dev/netwitness_vg00/nwhome -y

xfs_growfs /dev/netwitness_vg00/nwhome

These commands are provided assuming that sdc is the new disk added and 40GB is the extended partition size for each of the partitions.