Azure Install: Deployment Overview

Document created by RSA Information Design and Development Employee on Feb 2, 2018Last modified by RSA Information Design and Development Employee on May 19, 2020
Version 8Show Document
  • View in full screen mode

Before you can deploy RSA NetWitness Platform in Azure, you need to:

  • Understand the requirements of your enterprise.
  • Know the scope of a NetWitness Platform deployment.

When you are ready to begin the deployment:

  • Make sure that you have a NetWitness Platform "Throughput" license.
  • Use Chrome for your browser (Internet Explorer is not supported).

Azure Environment Recommendations

Azure instances have the same functionality as the NetWitness Platform hardware hosts. RSA recommends that you perform the following tasks when you set up your Azure environment.

  • Based on the resource requirements of the different components, follow best practices to use the system and dedicated storage appropriately.
  • Build Concentrator directory for index database on SSD.

Abbreviations and Other Terminology Used in this Guide

AzureAzure is Microsoft's public cloud computing platform. It provides a range of cloud services, including those for compute, analytics, storage and networking. You can pick and choose from these services to develop and scale new applications, or run existing applications, in the public cloud.


Bring Your Own Licensing

CPUCentral Processing Unit
EPSEvents Per Second
GBGigabyte. 1GB = 1,000,000,000 bytes
GbGigbit. 1Gb = 1,000,000,000 bits.
GbpsGigabits per second or billions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.
GHzGigaHertz 1 GHz = 1,000,000,000 Hz
HDDHard Disk Drive
IOPSInput/Output Operations Per Second
MbpsMegabits per second or millions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.
On-PremiseOn-premise hosts are installed and run on computers on the premises (in the building) of the organization using the hosts, rather than in the Azure.
RAMRandom Access Memory (also known as memory)
Security Set of firewall rules. Refer to Deployment: Network Architecture and Ports ( for a comprehensive list of the ports you must set up for all NetWitness Platform components.
SSD Solid-State Drive
vCPUVirtual Central Processing Unit (also known as a virtual processor)


Virtual Hard Disk

VMVirtual Machine
vRAMVirtual Random Access Memory. This is the memory for a virtual machine.

Azure Deployment Scenarios

The following diagrams illustrate some common Azure deployment scenarios. In the diagrams, the:

  • Log Decoder receives logs collected by the Log Collector. The Log Collector collects log events from hundreds of devices and event sources.
  • Concentrator indexes metadata extracted from network or log data and makes it available for enterprise-wide querying and real-time analytics while facilitating reporting and alerting.

  • Endpoint Log Hybrid is used for collection of endpoint and log data. The Endpoint Log Hybrid comprises of an Endpoint Server, Log Decoder, and a Concentrator. The Log DecoderDecoder captures data from the Endpoint Server and processes the metadata.
  • NetWitness Server hosts Respond, Reporting Engine, Investigate, RSA Live, Administration, Endpoint Log Hybrid and other aspects of the user interface.

Full NetWitness Platform Stack Azure Visibility

This diagram shows all NetWitness Platform components (full stack) deployed in Azure.

Full Stack Azure Visibility

Note: You can add multiple Endpoint Log Hybrids. For a consolidated view of the endpoint data on multiple Endpoint Log Hybrids you must install the Endpoint Broker.

Hybrid Deployment - Log Decoder

This diagram shows the Log Decoder and Archiver deployed in Azure with all other NetWitness Platform components deployed on your premises.

Log Decoder and Archiver deployed in Azure

Supported Services

RSA provides the following NetWitness Platform services.

  • NetWitness Server
  • Archiver
  • Admin Server
  • Config Server
  • Investigate Server
  • Orchestration Server
  • Reporting Engine
  • Respond Server
  • Security Server
  • Broker
  • Concentrator
  • Event Stream Analysis
  • Log Decoder
  • Decoder
  • Remote Log Collector
  • Endpoint Server
  • User Entity and Behavior Analytics (UEBA)

You are here
Table of Contents > Deployment Overview