BluSapphire
Search…
Introduction
Product Videos
Unified Cyber Defense Platform
The Stack
Features and capabilities
Operations
Architecture
Integration
Cisco pxGrid Integration
MITRE ATT&CK
MITRE ATT&CK Coverage by Tactic
MITRE ATT&CK Coverage by Technique
BluArmour Endpoint Protection
BluArmour For ICS / AirGapped Networks
BluArmour Pre-Deployment Checklist & Roll out Process
Deploy BluArmour via SCCM
BluGenie
SIGMA Rules
Use cases
Threat Intel Sources
Windows Logging Recommendations
Lateral Movement Logging Recommendations
Windows Advanced Auditing Recommendations
GPO for Service Account, WinRM and WMI
Log Forwarding - How To
Mirror / SPAN port configuration
Cloud Log Forwarding
Deploy Micro-Agent/Sysmon via GPO
Threat Hunt
Appendix A
Powered By GitBook
Appendix A
supporting document for Pre Deployment checklists

Sensor

Sensor is a gateway appliance (physical in most cases) that receives a SPAN/Mirror copy of all the traffic moving in and out of the firewall. Most Static Analysis and DPI happen at the sensor. The Sensor is also responsible for describing the traffic model(s) and sending over the metadata to the master for further analysis.
Bandwidth
CPU/Cores
Threads
RAM (GB)
SSD (GB)
500 Mpbs
8
16
32
256
1Gbps
16
32
64
512
5Gbps
36
72
320
2000
10Gbps
72
144
512
4000

Log Collector

Is used to collect Logs and Flows from the client network. It needs to upload the compressed data to Collector in the cloud.
EPS
CPU
RAM (GB)
Diskspace (GB)
500-1000
4 cores / 8 threads
16
128
1000-2000
8 cores/ 16 threads
32
256
2000-5000
8 cores/16 threads
64
256/512
5000-10000
16 cores / 32 threads
128
1TB

Responder

Is responsible agentless Response & Remediation and needs to communicate with the Master in the cloud.
Size
Response & Remediation only
Threat Hunt (IOCs based live or log hunts)
Generic Hunts (artifact collection viz., memory, services, autostart etc.,)
100-200 endpoints
16GB RAM, 8 cores, 128GB Diskspace
16GB RAM, 8 cores, 128GB Diskspace
32GB RAM, 8 cores, 128GB Diskspace
200-1000 endpoints
16GB RAM, 8 cores, 128GB Diskspace
32GB RAM, 8 cores, 128GB Diskspace
32GB RAM, 8 cores, 256GB Diskspace
100-3000 endpoints
16GB RAM, 8 cores, 128GB Diskspace
64 GB RAM, 16 cores, 256GB Diskspace
64GB RAM, 16cores, 512GB Diskspace
3000-5000 endpoints
16GB RAM, 8 cores, 128GB Diskspace
64GB RAM, 16 cores, 256GB Diskspace
64GB RAM, 16 cores, 1TB Diskspace
Upto 10000 endpoints
16GB RAM, 8 cores, 128GB Diskspace
128GB RAM, 32 cores, 512GB Diskspace
16GB RAM, 8 cores, 2TB Diskspace
Above 10k+
Call for specs
Call for specs
Call for specs

Sample Deployment Architecture

Simple network architecture depicting Sensor, GW Collector and Responder in a typical deployment.
Previous
Threat Hunt
Last modified 11mo ago
Copy link
Outline
Sensor
Recommended Configuration
Log Collector
Recommended Configuration
Responder
Recommended Configuration
Sample Deployment Architecture