Multi-Tenant Sizing Requirements - Multi-Tenant Guide - 6.12 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Multi-Tenant Guide

Product
Cortex XSOAR
Version
6.12
Creation date
2023-04-30
Last date published
2023-12-18
Category
Multi-Tenant Guide

Exact sizing specifications vary depending on several factors, including the number of incidents ingested, the number of indicators in the system, playbook usage, and so on.

Hardware Requirements

Each host and tenant is a standalone instance of the Cortex XSOAR server and must meet the minimum sizing recommendations for a production environment.

Component

Dev Environment Minimum

Production Minimum

CPU

8 CPU cores

16 CPU cores

Memory

16 GB RAM

32 GB RAM

Storage

500 GB SSD

1 TB SSD with minimum 3k dedicated IOPS

Example Multi-Tenant Deployment

This example details the sizing requirements for a single host that has two tenants.

The hardware requirements for this deployment are:

Component

Calculation

Production Requirements

CPU

(1 host plus 2 tenants) x 16 CPU cores

48 CPU cores

Memory

(1 host plus 2 tenants) x 32 GB RAM

96 GB RAM

Storage

Production Minimum

1 TB SSD with minimum 3k dedicated IOPS

Example Sizing Comparison Between Elasticsearch and BoltDB for Known Capacity

In this example where the number of incidents and commands is known, the sizing requirements for Elasticsearch and BoltDB are based on:

  • approximately 50 incidents per day, per tenant, with each incident running 50 commands/scripts.

  • For engines:

    • The specifications for each engine are 16 CPU and 32 GB RAM.

    • The engine is defined for each integration, including those that fetch incidents.

    • Incidents were fetched using the Splunk integration and executed using this playbook.

Database

Server CPU

Server Memory

Server IOPS

Number of Accounts w/ Engine

Number of Accounts w/o Engine

Elasticsearch

36 cores

72 GB

N/A

54

40

BoltDB

36 cores

72 GB

3000

52

32