Update 7/25/2016: Updated to reflect some of the new sizing information on the Technet Gallery page
Update 4/10/2017: Link to updated tool with automatic sizing recommendation and noting David Bernstein & Benny Lakunishok as the authors.
A few weeks ago, Microsoft released a new tool to help with sizing Advanced Threat Analytics (ATA) deployments. For anyone that’s had to do this before, you’ll know it’s not difficult to setup the necessary performance counters using Performance Monitor, but as you start getting into anything above 10 sites or so, it can be time consuming.
UPDATE: The latest tool even does automated sizing recommendations!
This utility helps evaluate the overall network traffic on the domain controllers that ATA should monitor. In addition, the tool evaluates their CPU and memory resources for possible Lightweight Gateway deployments.
Let’s take it for a spin!
First we’ll unzip the package
You can manually specify some of the parameters, but if you’re running it as a domain user (with appropriate rights), on a domain computer, we can just let it run and it will discover all of the necessary information.
The recommended way to run the ATA sizing tool is to run it with domain admin credentials from a workstation that has RPC access to all domain controllers for which the user is an admin for, the tool would run by default for 24 hours (which is the recommended minimum time to run it) and would gather the packets/sec counter as well as data like OS type, compute and memory utilization, etc.
|-DomainFQDN=<Domain FQDN>||Evaluates all the domain controllers in the specified domain.|
|-InputDCListFile=<File path>||Evaluates all the domain controllers in the specified file (each domain controller is presented on a separate line).|
|-UseCurrent=UserDomain||Evaluates all the domain controllers in the domain of the user running the tool.|
|-UseCurrent=ComputerDomain||Evaluates all the domain controllers in the domain of the computer running the tool.|
|-UseCurrent=Forest||Evaluates all the domain controllers in the entire forest.|
NOTE: If none of the above are specified, UseCurrent=UserDomain is used.
Let’s run it without any parameters.
You can see it start to do the discovery and grab the performance counters, including ignoring NICs that aren’t needed! This will run for 24 hours.
When we check back 24 hours later, we’ll see that it has finished writing to an .xlsx file
Inside, we find all of the relevant data for sizing.
Now we can look at the Busy Packets/sec and use that to size our ATA Center server using the following recommendations found under the ATA docs site for Capacity Planning.
ATA Center CPU and Memory: Match the “Busy Packets/sec” field in the Center table of the results file to the “PACKETS PER SECOND*” field in the ATA Center table.
ATA Center Storage: Match the “Avg Packets/sec” field in the Center table of the results file to the “PACKETS PER SECOND*” field in the ATA Center table.
In our case, we can see that at 526 Busy Packets/sec, we would fit well under the 1st tier requirements for CPU/Memory and at 351 Avg Packets/sec, we would also fall under the 1st tier requirements.
|Packets per second*||CPU (cores**)||Memory (GB)||Database storage per day (GB)||Database storage per month (GB)||IOPS***|
*Total daily average number of packets-per-second from all domain controllers being monitored by all ATA Gateways.
We then also have to decide if we want to deploy a Lightweight or full Gateway. From a security perspective, we ALWAYS recommend deploying a full Gateway where possibly to ensure there’s a separate attack plane for intrusions, but the Lightweight Gateway certainly has its place where you may not have the virtual or physical capacity to deploy a full Gateway, or the ability to do port mirroring (such as Azure).
For the Lightweight Gateway, you can use the following reference.
NOTE that the CPU and Memory below are total, not dedicated amount for the ATA Gateway
Sizing guidance from the tool page:
ATA Gateway: Match the “Busy Packets/sec” field in the Gateway table of the results file to the “PACKETS PER SECOND*” field in the ATA Gateway table or the ATA Lightweight Gateway depending on the gateway type you choose.
|Packets per second*||CPU (cores**)||Memory (GB)***|
And for the full Gateway
|Packets per second*||CPU (cores**)||Memory (GB)|
Based on the data collected above, we could use that data to see that our Avg Packets/sec in our primary site doesn’t exceed 438, and our Azure DC is only 53. So we fit well within the 1 core, 6GB Memory Gateway listed above. Although, we have deployed a Lightweight Gateway in Azure.
This is a great tool that is easy to use, thanks to the ATA team!