Objective of the Performance Benchmarking Test
The
objective of this test is to measure the time taken to - ingest the
alerts, and complete the execution of corresponding playbooks on
ingested alerts. Each alert triggers a playbook, thus the number of
alerts ingested and the number of playbooks triggered is the same.
The data from this benchmark test can help you in determining your scaling requirements for CyOPs™ instance to handle the expected workload in your environment.
Test Environment for CyOPs™ Version 4.12.0 Build 746
The test was conducted in the CyberSponse lab environment with the following specifications:
Hardware Specifications.
Component | Specifications |
CPU | 8 CPU |
Memory | 32 GB |
Storage | 500GB virtual disk running on top of Samsung SSD 360 Pro model attached to VMware ESX server |
Operating System Specifications
The benchmark test was performed on a dedicated virtual server running CentOS 7 Kernel 3.10.0-862 running inside the CyOPs™ virtual appliance.
Other Specifications
At the start of each test run -
The test environment contained zero alerts.
It contained only the system connectors.
The system playbooks were deactivated and there were no running playbooks.
The Playbook Execution Logs were purged.
CyOPs™ Performance Benchmarking Process
The test was executed using an automated test bed that initiates HTTPS calls per clock tick ( x alerts ingested per second ) which creates alerts in CyOPs™ and then triggers a playbook for each alert created.
Details of the performance benchmarking process:
When an alert is created, a playbook is triggered that performs the following steps:
We iterated this test to ingest various size of workloads (for example, 25 or 50 alerts in parallel).
Finally, we performed this test for 12 hours, at the rate of 100 alerts every 20 seconds.
Observations
The data in the following table outlines the number of alerts ingested in a clock tick, the total time taken to ingest those alerts, and the total time taken for all the playbooks triggered to finish execution.
Single Invocation Test
Alerts Ingested* | Total time taken to create all Alerts in CyOPs™ | Total time taken to execute all Playbooks |
25 | 3 Secs | 3.12 Secs |
50 | 5 Secs | 3.6 Secs |
100 | 7 Secs | 7.83 Secs |
*If the number of alerts ingested is 25, then the number of playbooks triggered would be 25.
Sustained Invocation Test
We continued this test to ingest 100 alerts every 20 seconds for 12 hours, and observed that 180700 alerts were created, and corresponding playbooks successfully finished executing.
Conclusion
Based on this test, we conclude, that CyOPs™ could process an average of 15000 alerts in an hour. This includes creation of alerts, and running corresponding playbooks to process the alerts.
Please note, in production environment following things could vary, and therefore would affect the observations:
Size of alert data
Number of other playbooks executing in parallel for each alert (e.g., system playbook for notification or triage/investigate playbooks)
Number of steps in each playbook
Network bandwidth, especially for the outbound connections to applications such as VirusTotal.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.