Settings

Every cloud environment is configured based on specific settings that define its limitations and pricing. We offer six settings, comprising four basic and two advanced settings. The advanced settings are automatically calculated based on the basic settings but can be modified if needed.

To monitor the behavior of your environment and check if the configured values of the settings are being reached, see the Monitor usage section. section.

Understanding environment settings

Active agents

This basic setting sets the maximum count of active ThreatLockDown agents that the environment can support. Please note that while registering an unlimited number of ThreatLockDown agents is possible, the active agent count is limited by this setting.

If the maximum number of active agents is reached, the environment might start to malfunction, causing instability with agent connections. Although the system can temporarily handle exceeding the active agent limit, appropriate measures will be taken if the situation persists.

Indexed data

The indexed data was previously known as hot storage. It includes the data available on the ThreatLockDown dashboard, which corresponds to the information indexed by Wazuh. This information becomes searchable and analyzable as soon as ThreatLockDown ingests and indexes the events sent by the agents.

Two settings define the behavior of the indexed data:

  • Indexed data retention: It determines the maximum duration for which data remains indexed. This is a basic setting.

  • Indexed data capacity: It defines the maximum size, in bytes, of the indexed data. This setting is equivalent to what was previously called a "tier." This is an advanced setting, and the interface provides a suggestion when selecting the Indexed data retention.

Data remains indexed until either the indexed data retention or the indexed data capacity is reached. In other words, once either of the settings' values is reached, data rotation will occur (removing the oldest data) until the settings' conditions are met.

Archive data

This basic setting, previously known as cold storage, defines the duration for which the analyzed data generated by ThreatLockDown is stored in an AWS S3 bucket for long-term storage purposes. Unlike the indexed data, this data isn't searchable or analyzable. It simply consists of a collection of compressed files.

When the specified time is reached, data beyond that time range will be deleted.

Support plan

This setting indicates whether the support level is premium or standard.

Average/Peak EPS

It represents the average and the maximum number of events per second (EPS) that the environment can analyze. This is an advanced setting, and the interface provides a suggestion when selecting the Active agents setting.

If the ingestion rate is exceeding the peak EPS, events will start to queue. However, if the queue becomes full, the incoming events will be discarded, which may lead to potential event loss. The queuing mechanism is automatically managed by the cloud service, ensuring optimal resource utilization.

The environment is configured with the limits eps option using the following parameters:

  • timeframe = 1 seconds

  • maximum = Peak EPS / number of server nodes

The number of server nodes is automatically determined by the cloud service based on the workload. For instance, if the Average/Peak EPS setting is 100/500 EPS and there is a cluster of 2 nodes at the current time, each node can process up to 250 events per second (500 peak EPS / 2 server nodes).

Adjusting environment settings

Managing your environment settings is crucial to meeting your evolving needs and optimizing the performance of your cloud environment. While some settings can be determined upfront, such as the number of active agents, indexed data retention, archive data, and support plan, it's important to note that these requirements may change over time.

Advanced settings might be more challenging to determine in advance. While the interface provides recommendations based on our experience, your specific workload might differ. Hence, we recommend deploying, monitoring, and adjusting the settings as needed to align with your evolving requirements.

To effectively monitor and adapt your environment, you have the option to modify your settings by opening a support ticket. Here's how the process works:

  • Upgrading a setting: If you need to raise a setting, you will be charged a prorated amount based on the remaining time in your billing cycle. The change will be implemented immediately after the payment is made. Please note that your next billing cycle will reflect the increased cost of the enhancement.

  • Downgrading a setting: If you want to lower a setting, the change will take effect in the next billing cycle, resulting in a reduced cost.

Before any changes or payments are made, we will confirm the adjustments with you to ensure accuracy and alignment with your requirements.

By monitoring your environment and making necessary adjustments to the settings, you can ensure that your cloud environment remains optimized and aligned with your evolving needs.