Azure: VM Configuration Recommendations

Note: For a description of terms and abbreviations used in this topic, refer to Deployment Overview.

This topic contains the minimum Azure VM configuration settings recommended for the NetWitness Platform (NW) virtual stack components.

• VM:
  • The recommended settings in the NetWitness Platform component VM tables below were calculated under the following conditions.
    • Ingestion rates of 15,000 EPS were used.
    • All the components were integrated.
    • The Log stream included a Log Decoder, Concentrator, and Archiver.
    • Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
    • The background load included reports, charts, alerts, investigation, and respond.

• Note: For higher EPS rates, the Concentrator index volume must be allocated SSDs.
  

  Azure Instance Recommendations

  Following are the instance recommendations for NetWitness Azure VMs.

                                                                                     

  Azure Image Type	Rate (EPS)	CPU (Cores)	RAM (GB)	Instance Type (Azure Name)	Cache
  NW Admin Server	Does not apply	16	112	Standard D14_v2	Read/ Write
  Log Decoder	15,000	32	128	Standard D32s_v3	Read/ Write
  Concentrator	15,000	16	112	Standard DS14_v2	Read/ Write
  Archiver	15,000	16	112	Standard D14_v2	Read/ Write
  ESA	15,000	20	140	Standard D15_v2	Read/ Write
  UEBA	-	16	64	-	-
  Log Collector	15,000	8	32	Standard D8s_v3	Read/ Write
  Endpoint Hybrid	25,000	16	32	Standard DS14_v2	Read/ Write