End-of-Life (EoL)

Multi-Tenant Sizing Requirements

Sizing requirements for a Cortex XSOAR multi-tenant deployment depend on the number of hosts and tenants deployed.
Exact sizing specifications vary depending on several factors, including the number of incidents ingested, the number of indicators in the system, playbook usage, and so on.

Hardware Requirements

Each host and tenant is a standalone instance of the Cortex XSOAR server and must meet the minimum sizing recommendations for a production environment.
Cortex XSOAR Server Requirements
Component
Dev Environment Minimum
Production Minimum
CPU
8 CPU cores
16 CPU cores
Memory
16 GB RAM
32 GB RAM
Storage
500 GB SSD
1 TB SSD with minimum 3k dedicated IOPS

Example Multi-Tenant Deployment

This example details the sizing requirements for a single host that has two tenants.
The hardware requirements for this deployment are:
Example Multi-Tenant Deployment
Component
Calculation
Production Requirements
CPU
(1 host plus 2 tenants) x 16 CPU cores
48 CPU cores
Memory
(1 host plus 2 tenants) x 32 GB RAM
96 GB RAM
Storage
Production Minimum
1 TB SSD with minimum 3k dedicated IOPS

Example Sizing Comparison Between Elasticsearch and BoltDB for Known Capacity

In this example where the number of incidents and commands is known, the sizing requirements for Elasticsearch and BoltDB are based on:
  • approximately 50 incidents per day, per tenant, with each incident running 50 commands/scripts.
  • For engines:
    • The specifications for each engine are 16 CPU and 32 GB RAM.
    • The engine is defined for each integration, including those that fetch incidents.
    • Incidents were fetched using the Splunk integration and executed using this playbook.
Example Sizing Comparison for Known Capacity
Database
Server CPU
Server Memory
Server IOPS
Number of Accounts w/ Engine
Number of Accounts w/o Engine
Elasticsearch
36 cores
72 GB
N/A
54
40
BoltDB
36 cores
72 GB
3000
52
32

Recommended For You