Appendix A
supporting document for Pre Deployment checklists
Sensor is a gateway appliance (physical in most cases) that receives a SPAN/Mirror copy of all the traffic moving in and out of the firewall. Most Static Analysis and DPI happen at the sensor. The Sensor is also responsible for describing the traffic model(s) and sending over the metadata to the master for further analysis.
Bandwidth | CPU/Cores | Threads | RAM (GB) | SSD (GB) |
500 Mpbs | 8 | 16 | 32 | 256 |
1Gbps | 16 | 32 | 64 | 512 |
5Gbps | 36 | 72 | 320 | 2000 |
10Gbps | 72 | 144 | 512 | 4000 |
Is used to collect Logs and Flows from the client network. It needs to upload the compressed data to Collector in the cloud.
EPS | CPU | RAM (GB) | Diskspace (GB) |
500-1000 | 4 cores / 8 threads | 16 | 128 |
1000-2000 | 8 cores/ 16 threads | 32 | 256 |
2000-5000 | 8 cores/16 threads | 64 | 256/512 |
5000-10000 | 16 cores / 32 threads | 128 | 1TB |
Is responsible agentless Response & Remediation and needs to communicate with the Master in the cloud.
Size | Response & Remediation only | Threat Hunt (IOCs based live or log hunts) | Generic Hunts (artifact collection viz., memory, services, autostart etc.,) |
100-200 endpoints | 16GB RAM, 8 cores, 128GB Diskspace | 16GB RAM, 8 cores, 128GB Diskspace | 32GB RAM, 8 cores, 128GB Diskspace |
200-1000 endpoints | 16GB RAM, 8 cores, 128GB Diskspace | 32GB RAM, 8 cores, 128GB Diskspace | 32GB RAM, 8 cores, 256GB Diskspace |
100-3000 endpoints | 16GB RAM, 8 cores, 128GB Diskspace | 64 GB RAM, 16 cores, 256GB Diskspace | 64GB RAM, 16cores, 512GB Diskspace |
3000-5000 endpoints | 16GB RAM, 8 cores, 128GB Diskspace | 64GB RAM, 16 cores, 256GB Diskspace | 64GB RAM, 16 cores, 1TB Diskspace |
Upto 10000 endpoints | 16GB RAM, 8 cores, 128GB Diskspace | 128GB RAM, 32 cores, 512GB Diskspace | 16GB RAM, 8 cores, 2TB Diskspace |
Above 10k+ | Call for specs | Call for specs | Call for specs |
Simple network architecture depicting Sensor, Log Collector and Responder in a typical deployment.
Last modified 3mo ago