Azure: VM Configuration Recommendations

Document created by RSA Information Design and Development on Feb 2, 2018Last modified by RSA Information Design and Development on Sep 12, 2018
Version 4Show Document
  • Comment0
  • View in full screen mode
 

Note: For a description of terms and abbreviations used in this topic, refer to Deployment Overview.

This topic contains the minimum Azure VM configuration settings recommended for the NetWitness Platform (NW) virtual stack components.

  • VM:
    • The recommended settings in the NetWitness Platform component VM tables below were calculated under the following conditions.
      • Ingestion rates of 15,000 EPS were used.
      • All the components were integrated.
      • The Log stream included a Log Decoder, Concentrator, and Archiver.
      • Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
      • The background load included reports, charts, alerts, investigation, and respond.

  • Note: For higher EPS rates, the Concentrator index volume must be allocated SSDs.

    Azure Instance Recommendations

    Following are the instance recommendations for NetWitness Azure VMs.

                                                                                       
    Azure Image TypeRate (EPS)CPU (Cores)RAM (GB)Instance Type (Azure Name)Cache
    NW Admin ServerDoes not apply16112

    Standard D14_v2

    Read/
    Write

    Log Decoder15,00032128Standard D32s_v3Read/
    Write
    Concentrator15,00016112

    Standard DS14_v2

    Read/
    Write

    Archiver15,00016112Standard D14_v2Read/
    Write
    ESA15,00020140

    Standard D15_v2

    Read/
    Write

    UEBA-16 64--
    Log Collector15,000832Standard D8s_v3Read/
    Write
    Endpoint Hybrid25,00016 32 Standard DS14_v2Read/
    Write
Previous Topic:Deployment Overview
You are here
Table of Contents > VM Configuration Recommendations

Attachments

    Outcomes