Azure Configuration Recommendations

This topic contains the minimum Azure VM configuration settings recommended for the NetWitness Platform (NW) virtual stack components.

  • VM:

    • The recommended settings in the NetWitness Platform component VM tables below were calculated under the following conditions.

      • Ingestion rates of 15,000 EPS were used.
      • All the components were integrated.
      • The Log stream included a Log Decoder, Concentrator, and Archiver.
      • Incident Management was receiving alerts from the Reporting Engine and Event Stream Analysis.
      • The background load included reports, charts, alerts, investigation, and respond.
  • VHD (Storage)
    For more information, see Storage Guide for RSA NetWitness® Platform 11.x on how to increase the number of volumes based on your storage requirements using the RSA Sizing & Scoping Calculator.

    Azure Instance Recommendations

    The following table shows the storage recommendations for NetWitness Azure VMs.

    Azure Image Type Rate (EPS) CPU (Cores) RAM (GB) Instance Type (Azure Name)
    NW Does not apply 16 112

    Standard D14_v2

    Log Decoder 15,000 32 128 Standard D32s_v3
    Log Concentrator 15,000 16 112

    Standard DS14_v2

    Archiver 15,000 16 112 Standard D14_v2
    ESA 15,000 20 140

    Standard D15_v2

    Log Collector 15,000 8 32 Standard D8s_v3
    UEBA* Does not apply 16 112

    Standard D14_v2

Note: *If your log collection volume is low, RSA recommends you to deploy UEBA only on a virtual host. If you have a moderate to high log collection volume, RSA recommends you to deploy UEBA on the physical host as described under "RSA NetWitness UEBA Host Hardware Specifications" in the Physical Host Installation Guide.

Refer to the Storage Guide for RSA NetWitness Platform for additional storage information.