Update 7/25/2016: Updated to reflect some of the new sizing information on the Technet Gallery page

Update 4/10/2017: Link to updated tool with automatic sizing recommendation and noting David Bernstein & Benny Lakunishok as the authors.

A few weeks ago, Microsoft released a new tool to help with sizing Advanced Threat Analytics (ATA) deployments. For anyone that’s had to do this before, you’ll know it’s not difficult to setup the necessary performance counters using Performance Monitor, but as you start getting into anything above 10 sites or so, it can be time consuming.

Thankfully, Benny Lakunishok & David Bernstein from the ATA team has published a great new tool here.

UPDATE: The latest tool even does automated sizing recommendations!

This utility helps evaluate the overall network traffic on the domain controllers that ATA should monitor. In addition, the tool evaluates their CPU and memory resources for possible Lightweight Gateway deployments.

Let’s take it for a spin!

First we’ll unzip the package

071616_1613_UsingtheAdv1.png

You can manually specify some of the parameters, but if you’re running it as a domain user (with appropriate rights), on a domain computer, we can just let it run and it will discover all of the necessary information.

The recommended way to run the ATA sizing tool is to run it with domain admin credentials from a workstation that has RPC access to all domain controllers for which the user is an admin for, the tool would run by default for 24 hours (which is the recommended minimum time to run it) and would gather the packets/sec counter as well as data like OS type, compute and memory utilization, etc.

-DomainFQDN=<Domain FQDN> Evaluates all the domain controllers in the specified domain.
-InputDCListFile=<File path> Evaluates all the domain controllers in the specified file (each domain controller is presented on a separate line).
-UseCurrent=UserDomain Evaluates all the domain controllers in the domain of the user running the tool.
-UseCurrent=ComputerDomain Evaluates all the domain controllers in the domain of the computer running the tool.
-UseCurrent=Forest Evaluates all the domain controllers in the entire forest.

NOTE: If none of the above are specified, UseCurrent=UserDomain is used.

Let’s run it without any parameters.

You can see it start to do the discovery and grab the performance counters, including ignoring NICs that aren’t needed! This will run for 24 hours.

071616_1613_UsingtheAdv2.png

When we check back 24 hours later, we’ll see that it has finished writing to an .xlsx file

071616_1613_UsingtheAdv3.png

Inside, we find all of the relevant data for sizing.

071616_1613_UsingtheAdv4.png

Now we can look at the Busy Packets/sec and use that to size our ATA Center server using the following recommendations found under the ATA docs site for Capacity Planning.

ATA Center CPU and Memory: Match the “Busy Packets/sec” field in the Center table of the results file to the “PACKETS PER SECOND*” field in the ATA Center table.
ATA Center Storage: Match the “Avg Packets/sec” field in the Center table of the results file to the “PACKETS PER SECOND*” field in the ATA Center table.

In our case, we can see that at 526 Busy Packets/sec, we would fit well under the 1st tier requirements for CPU/Memory and at 351 Avg Packets/sec, we would also fall under the 1st tier requirements.

Packets per second* CPU (cores**) Memory (GB) Database storage per day (GB) Database storage per month (GB) IOPS***
1,000 2 32 0.3 9 30 (100)
10,000 4 48 3 90 200 (300)
40,000 8 64 12 360 500 (1,000)
100,000 12 96 30 900 1,000 (1,500)
400,000 40 128 120 1,800 2,000 (2,500)

*Total daily average number of packets-per-second from all domain controllers being monitored by all ATA Gateways.

We then also have to decide if we want to deploy a Lightweight or full Gateway. From a security perspective, we ALWAYS recommend deploying a full Gateway where possibly to ensure there’s a separate attack plane for intrusions, but the Lightweight Gateway certainly has its place where you may not have the virtual or physical capacity to deploy a full Gateway, or the ability to do port mirroring (such as Azure).

For the Lightweight Gateway, you can use the following reference.

NOTE that the CPU and Memory below are total, not dedicated amount for the ATA Gateway

Sizing guidance from the tool page:

ATA Gateway: Match the “Busy Packets/sec” field in the Gateway table of the results file to the “PACKETS PER SECOND*” field in the ATA Gateway table or the ATA Lightweight Gateway depending on the gateway type you choose.

Packets per second* CPU (cores**) Memory (GB)***
1,000 2 6
5,000 6 16
10,000 10 24

And for the full Gateway

Packets per second* CPU (cores**) Memory (GB)
1,000 1 6
5,000 2 10
10,000 3 12
20,000 6 24
50,000 16 48

Based on the data collected above, we could use that data to see that our Avg Packets/sec in our primary site doesn’t exceed 438, and our Azure DC is only 53. So we fit well within the 1 core, 6GB Memory Gateway listed above. Although, we have deployed a Lightweight Gateway in Azure.

071616_1613_UsingtheAdv5.png

This is a great tool that is easy to use, thanks to the ATA team!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>