Skip to content
  • There are no suggestions because the search field is empty.

Azure Configuration Recommendations

Azure Configuration RecommendationsAzure Configuration Recommendations

This topic contains the minimum Azure VM configuration settings recommended for the NetWitness (NW) virtual stack components.

  • VM:

    • The recommended settings in the NetWitness component VM tables below were calculated under the following conditions.

      • Ingestion rates of 15,000 EPS and 1.5GBps were used.
      • All the components were integrated.
      • The Log stream included a Log Decoder, Concentrator, and Archiver.
      • The Packet stream included a Network Decoder and Concentrator.
      • Incident Management was receiving alerts from the Reporting Engine and Event Stream Analysis.
      • The background load included reports, charts, alerts, investigation, and respond.
      • The default partition size of Azure VM hosts for /root is 8GB and for /var/netwitness is 15GB. These partitions can be increased to a minimum of 40GB. For more information see, Updating Partition Size.

  • VHD (Storage)
    For more information, see Storage Guide for NetWitness® Platform XDR 12.1 on how to increase the number of volumes based on your storage requirements using the NetWitness Sizing & Scoping Calculator.

    Azure Instance Recommendations

    The following table shows the storage recommendations for NetWitness Azure VMs.

    • Azure Image Type: NW Server
    • Rate (EPS): Does not apply
    • CPU (Cores): 16
    • RAM (GB): 112
    • Instance Type (Azure Name):

      Standard D14_v2


    • Azure Image Type: Log Decoder
    • Rate (EPS): 15,000
    • CPU (Cores): 32
    • RAM (GB): 128
    • Instance Type (Azure Name): Standard D32s_v3

    • Azure Image Type: Log Concentrator
    • Rate (EPS): 15,000
    • CPU (Cores): 16
    • RAM (GB): 112
    • Instance Type (Azure Name):

      Standard DS14_v2


    • Azure Image Type: Archiver
    • Rate (EPS): 15,000
    • CPU (Cores): 16
    • RAM (GB): 112
    • Instance Type (Azure Name): Standard D14_v2

    • Azure Image Type: Log Collector
    • Rate (EPS): 15,000
    • CPU (Cores): 8
    • RAM (GB): 32
    • Instance Type (Azure Name): Standard D8s_v3

    • Azure Image Type: UEBA*
    • Rate (EPS): Does not apply
    • CPU (Cores): 16
    • RAM (GB): 112
    • Instance Type (Azure Name):

      Standard D14_v2


Note: *If your log collection volume is low, NetWitness recommends you to deploy UEBA only on a virtual host. If you have a moderate to high log collection volume, NetWitness recommends you to deploy UEBA on the physical host as described under "NetWitness UEBA Host Hardware Specifications" in the Physical Host Installation Guide.

Refer to the Storage Guide for NetWitness Platform for additional storage information.

Packet Stream SolutionsPacket Stream Solutions

The following tables show Instance recommendations for Different EPS rates for Packet stream.

Note: NetWitness Decoder is supported with Gigamon Packet broker from version 11.7.x or higher on Azure Cloud environment.

Decoder - Gigamon SolutionDecoder - Gigamon Solution

  • Azure Image Type: Decoder
  • Rate (Mbps): 500
  • CPU (Cores): 16
  • RAM (GB): 64
  • Instance Type (Azure Name):

    Standard D16ds_v4

  • Accelerated Networking Enabled: Yes

  • Azure Image Type: Decoder
  • Rate (Mbps): 1000
  • CPU (Cores): 16
  • RAM (GB): 64
  • Instance Type (Azure Name): Standard D16ds_v4
  • Accelerated Networking Enabled: Yes

  • Azure Image Type: Decoder
  • Rate (Mbps): 1500
  • CPU (Cores): 32
  • RAM (GB): 128
  • Instance Type (Azure Name):

    Standard D32ds_v4

  • Accelerated Networking Enabled: Yes

  • Rate (Mbps): 500
  • Volumes: index, session, meta
  • Volume Type: RAID5 of minimum 3 P15 Premium SSD Disks
  • IOPS / Baseline Throughput: 80MB/s

  • Rate (Mbps): 500
  • Volumes: packet
  • Volume Type: RAID5 of minimum 3 P15 Premium SSD Disks
  • IOPS / Baseline Throughput: 80MB/s

  • Rate (Mbps): 1000
  • Volumes: index, session, meta
  • Volume Type: RAID5 of minimum 3 P20 Premium SSD Disks
  • IOPS / Baseline Throughput: 170MB/s

  • Rate (Mbps): 1000
  • Volumes: packet
  • Volume Type: RAID5 of minimum 3 P30 Premium SSD Disks
  • IOPS / Baseline Throughput: 170MB/s

  • Rate (Mbps): 1500
  • Volumes: index, session, meta
  • Volume Type: RAID5 of minimum 3 P40 Premium SSD Disks
  • IOPS / Baseline Throughput: 300MB/s

  • Rate (Mbps): 1500
  • Volumes: packet
  • Volume Type: RAID5 of minimum 3 P40 Premium SSD Disks
  • IOPS / Baseline Throughput: 300MB/s

Concentrator - Gigamon SolutionConcentrator - Gigamon Solution

  • Azure Image Type: Packet Concentrator
  • Rate (Mbps): 500
  • CPU (Cores): 16
  • RAM (GB): 64
  • Instance Type (Azure Name):

    Standard D16ds_v4

  • Accelerated Networking Enabled: No

  • Azure Image Type: Packet Concentrator
  • Rate (Mbps): 1000
  • CPU (Cores): 16
  • RAM (GB): 114
  • Instance Type (Azure Name): Standard DS14_v2
  • Accelerated Networking Enabled: No

  • Azure Image Type: Packet Concentrator
  • Rate (Mbps): 1500
  • CPU (Cores): 16
  • RAM (GB): 114
  • Instance Type (Azure Name):

    Standard DS14_v2

  • Accelerated Networking Enabled: No

Note: For Packet Concentrator with 500Mbps rate, if the query load on the environment is on the higher side (max concurrent queries > 5), it is recommended to use Standard DS14_v2 Instance.

  • Rate (Mbps): 500
  • Volumes: index
  • Volume Type: RAID5 of minimum 3 P30 Premium SSD Disks
  • IOPS / Baseline Throughput: 10000

  • Rate (Mbps): 500
  • Volumes: session, meta
  • Volume Type: RAID5 of minimum 3 P15 Premium SSD Disks
  • IOPS / Baseline Throughput: 80MB/s

  • Rate (Mbps): 1000
  • Volumes: index
  • Volume Type: RAID5 of minimum 3 P40 Premium SSD Disks
  • IOPS / Baseline Throughput: 12000

  • Rate (Mbps): 1000
  • Volumes: session, meta
  • Volume Type: RAID5 of minimum 3 P20 Standard SSD Disks
  • IOPS / Baseline Throughput: 170MB/s

  • Rate (Mbps): 1500
  • Volumes: index
  • Volume Type: RAID5 of minimum 3 P40 Premium SSD Disks
  • IOPS / Baseline Throughput: 15000

  • Rate (Mbps): 1500
  • Volumes: session, meta
  • Volume Type: RAID5 of minimum 3 P40 Premium SSD Disks
  • IOPS / Baseline Throughput: 300MB/s

ESA and Context HubESA and Context Hub

The following table shows Instance recommendations for Different EPS rates for ESA.

  • Rate (EPS): 15,000
  • CPU (Cores): 16
  • RAM (GB): 112
  • Instance Type:

    Standard DS14_v2

  • Accelerated Networking Enabled:

    No


  • Rate (EPS): 50,000
  • CPU (Cores): 20
  • RAM (GB): 140
  • Instance Type: Standard DS15_v2
  • Accelerated Networking Enabled: Yes

  • Rate (EPS): 100,000
  • CPU (Cores): 32
  • RAM (GB): 256
  • Instance Type:

    Standard E32s_v3

  • Accelerated Networking Enabled:

    Yes


Updating Partition SizeUpdating Partition Size

You can increase the partition size to a minimum of 40GB each.

After adding additional required disk size to the Azure VM, you can extend the partition sizes using the following commands:

  1. SSH to the VM, login as a root user and execute the following command to view the existing partitions along with the new partition added.
    lsblk
  2. Check the name of the new partition. Eg: sdc

pvcreate /dev/sdc -y

vgextend netwitness_vg00 /dev/sdc -y

lvextend -L 40G /dev/netwitness_vg00/root -y

xfs_growfs /dev/netwitness_vg00/root

lvextend -L 40G /dev/netwitness_vg00/nwhome -y

xfs_growfs /dev/netwitness_vg00/nwhome

These commands are provided assuming that sdc is the new disk added and 40GB is the extended partition size for each of the partitions.

  • Column 1:
  • Column 2: