Exact sizing specifications vary depending on several factors, including the number of incidents ingested, the number of indicators in the system, playbook usage, and so on.
Hardware Requirements
Each host and tenant is a standalone instance of the Cortex XSOAR server and must meet the minimum sizing recommendations for a production environment.
Component | Dev Environment Minimum | Production Minimum |
---|---|---|
CPU | 8 CPU cores | 16 CPU cores |
Memory | 16 GB RAM | 32 GB RAM |
Storage | 500 GB SSD | 1 TB SSD with minimum 3k dedicated IOPS |
Example Multi-Tenant Deployment
This example details the sizing requirements for a single host that has two tenants.
The hardware requirements for this deployment are:
Component | Calculation | Production Requirements |
---|---|---|
CPU | (1 host plus 2 tenants) x 16 CPU cores | 48 CPU cores |
Memory | (1 host plus 2 tenants) x 32 GB RAM | 96 GB RAM |
Storage | Production Minimum | 1 TB SSD with minimum 3k dedicated IOPS |
Example Sizing Comparison Between Elasticsearch and BoltDB for Known Capacity
In this example where the number of incidents and commands is known, the sizing requirements for Elasticsearch and BoltDB are based on:
approximately 50 incidents per day, per tenant, with each incident running 50 commands/scripts.
For engines:
The specifications for each engine are 16 CPU and 32 GB RAM.
The engine is defined for each integration, including those that fetch incidents.
Incidents were fetched using the Splunk integration and executed using this playbook.
Database | Server CPU | Server Memory | Server IOPS | Number of Accounts w/ Engine | Number of Accounts w/o Engine |
---|---|---|---|---|---|
Elasticsearch | 36 cores | 72 GB | N/A | 54 | 40 |
BoltDB | 36 cores | 72 GB | 3000 | 52 | 32 |