Azure ATP sizing

Ralfxyz · ‎Dec 22 2019

I recently set up the RAM as recommended by the sizing tool, but now I get the message again in Azure ATP "some network traffic is not being analyzed".

Currently the tool shows the following:

DC	Sensor Supported	Failed Samples	Max Packets/sec	Avg Packets/sec	Busy Packets/sec	Busy Packets/sec Start Time	Busy Packets/sec End Time	Min Avail MB	Avg Avail MB	Busy Avail MB	Busy RAM Start Time	Busy RAM End Time	Total MB	Max % CPU Time	Avg % CPU Time	Busy % CPU Time	Busy CPU Start Time	Busy CPU End Time	Logical processors	Processor Groups	Core Count	VM Indicator	AD Site	Time Zone Name	Is DST	OS Caption	OS Build Number	OS Installation Type	OS Server Levels
srvRODC1.contoso.com	Yes, but additional resources required: +2GB	0	2.438	55	111	08:17:54	08:32:51	1.833	2.081	2.040	07:15:54	07:30:57	4.095	89	8	13	07:20:04	07:35:07	2	1	2	VMWare	London	(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna	False	Microsoft Windows Server 2016 Standard	14393	Server Core	ServerCore
srvRODC2.contoso.com	Yes, but additional resources required: +3GB	0	1.940	63	94	08:21:09	08:36:12	534	1.188	1.153	06:23:16	06:38:13	4.095	100	11	14	07:17:54	07:32:57	2	1	2	VMWare	Lyon	(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna	False	Microsoft Windows Server 2016 Standard	14393	Server Core	ServerCore
srvRODC3.contoso.com	Yes, but additional resources required: +3GB	0	2.237	173	229	07:19:15	07:34:18	600	929	907	07:26:21	07:41:18	3.071	100	10	14	07:20:00	07:35:02	2	1	2	VMWare	Pune	(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna	False	Microsoft Windows Server 2016 Standard	14393	Server Core	ServerCore
srvRODC4.contoso.com	Yes, but additional resources required: +3GB	0	4.109	62	94	07:16:34	07:31:37	633	924	899	06:46:40	07:01:37	4.095	100	36	41	06:23:21	06:38:19	2	1	2	VMWare	Rom	(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna	False	Microsoft Windows Server 2016 Standard	14393	Server Core	ServerCore
srvdc3.contoso.com	Yes, but additional resources required: +1GB	0	13.915	3.425	4.296	07:32:12	07:47:09	7.378	7.987	7.896	08:21:54	08:36:57	12.287	100	30	42	08:11:18	08:26:16	4	1	4	VMWare	Berlin	(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna	False	Microsoft Windows Server 2016 Standard	14393	Server Core	ServerCore
srvdc2.contoso.com	Yes, but additional resources required: +1GB	0	9.664	3.934	4.506	07:38:18	07:53:15	7.062	7.613	7.552	07:52:30	08:07:27	12.287	91	24	47	08:33:18	08:48:19	4	1	4	VMWare	Berlin	(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna	False	Microsoft Windows Server 2016 Standard	14393	Server Core	ServerCore
srvdc1.contoso.com	Yes, but additional resources required: +1GB	0	12.198	4.356	5.565	07:55:30	08:10:27	7.311	7.843	7.635	08:15:38	08:30:35	12.287	76	17	25	08:01:41	08:16:38	4	1	4	VMWare	Muenchen	(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna	False	Microsoft Windows Server 2016 Standard	14393	Server Core	ServerCore
srvdc4.contoso.com	Yes, but additional resources required: +1GB	0	4.728	743	1.320	07:12:23	07:27:26	7.024	7.342	7.259	07:15:09	07:30:11	12.286	94	17	28	08:38:43	08:53:42	2	1	2	Physical	Leipzig	(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna	False	Microsoft Windows Server 2016 Standard	14393	Server Core	ServerCore

How much RAM must be free and available for Azure ATP to run correctly and without warning?
Is 9.5GB RAM the maximum Azure ATP needs? (without OS,....) => https://docs.microsoft.com/en-US/azure-advanced-threat-protection/atp-capacity-planning

We are currently testing Azure ATP, but we plan to roll it out soon.
For better planing i need to know how much RAM the servers need.
It is always difficult to add more RAM later.

thanks,
Best Regards,
Ralf

Ralfxyz · ‎Dec 23 2019

@Ralfxyz

On which of the above machines did you get the health alert?

In general, it's important to understand that the sizing tool is based on heuristics.

It's pretty good most of the times, but we did see anomalies in networks that act a little different.

For example, different mixture of traffic, increased AD events due to lot's of Apps querying AD, or networks with exceptional amounts of AD entities. those and more are issues that the tool can't reasonably measure, so it could be that in some cases you would need to add more memory or cores compared to what the tool says or even mentioned in the table,

Still, for most cases it is a good fit or a good starting point.

As for sizing... the data in the tables is what the sensor itself is consuming.

In addition to that, the sensor resource manager expect to have AT LEAST 15% free RAM and CPU at all times to protect AD services, or else it will throttle itself.

So for example, let's say the sensor needs 10 GB, And AD services / OS need 10 GB more, that's 20GB used RAM at all times. so in this case, I would use a machine with at least 24 GB of RAM, so at all times I will have a bit more than 15% free, and won't get throttled.

Same goes for total CPU.

Ralfxyz · ‎Dec 24 2019

@Eli Ofek Hello Eli,
thank you very much for your fast reply and the explanation.
The messages comes from srvdc1, srvdc2 and srvdc3.

Ok, the warning comes because there are sometimes peak loads.
I have to check how much RAM I can provide for the DCs.

Thank you very much for your support.
Best Regards,
Ralf

Ralfxyz · ‎Dec 23 2019