This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Non Persistent Desktop's (VDI) and Netwitness EDR Agent?

ChrisIchelson
Occasional Contributor
Occasional Contributor

‎2021-05-07 02:06 PM

Non Persistent Desktop's (VDI) and Netwitness EDR Agent? I just had a customer ask me about the use of the EDR agent and Non Persistent Desktops, how would this work?.....  Does eliminate the use of the EDR Agent since that is a clean wipe each time, or is there a function in the Agent ID capability to recognize this...?

0 Likes
4 REPLIES 4

ChrisIchelson
Occasional Contributor
Occasional Contributor

‎2021-05-07 02:07 PM

More or less how is this also addressed with licensing....I think in a NP environment, each new session is a new unique machine....

0 Likes

ChrisIchelson
Occasional Contributor
Occasional Contributor

‎2021-05-07 02:08 PM

Last question - What is the best response or recommended response or architecture around this model as WFH and elastic workforce become more prevalent?

0 Likes

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2021-05-07 04:40 PM

Each new instance of a VDI would essentially spawn a brand new agent, but only for the duration of that VDI. This will create numerous stale agents.

The best response here may depend on your customer's specific needs and circumstances, but what we usually do in these types of environments is to delete the stale agents from the database after the VDI has been destroyed. This will keep them from using up all the licensing.

The main consideration here is to determine what is a "safe" time period after which to delete stale agents, as this is one of the main filters used in the database commands that delete the agents.

Here's a script you can use and modify as you need that will look for multiple agentIDs ( > 1 ) all with the same hostname, and remove those agent records older than the "last_seen_date" from the various mongodbs on the endpoint server. Just be really sure you want to remove them, because there is no recovering that deleted data.

#!/bin/bash
#Set Output Colors
RED=`tput setaf 1`
GRB=`tput setaf 2; tput bold`
YLW=`tput setaf 3`
BLB=`tput setaf 4; tput bold`
BLD=`tput bold`
RST=`tput sgr0`

#enter the IP or hostname of the NW Endpoint Log Hybrid
epLogHyb=""

#set a time; delete agents with a 'last seen date' older than this time
#examples: "24 hours ago" or "14 days ago" or "4 weeks ago"
olderThanTime=$(date "+%F %T.000Z" -d "1 days ago")

#grab the deploy_admin password
DEPLOY_PW=$( security-cli-client --get-config-prop --prop-hierarchy nw.security-client --prop-name platform.deployment.password  -q  --broker nw-node-zero)

#query endpoint server's mongodb and variable-ize a list of agentIDs with duplicate names
agentIDs=$(echo -e "DBQuery.shellBatchSize=50000;\nuse endpoint-server\ndb.machinedetail.aggregate([ { \$group: { \"_id\": { machineName: \"\$machineIdentity.machineName\"}, dups: { \"\$addToSet\": \"\$_id\" }, count: { \"\$sum\": 1 } }}, { \$match: { count: { \"\$gt\": 1 } }} ] ,{allowDiskUse: true} ).forEach(function(aRow){ aRow.dups.forEach(function (item){ printjson(item); }) })" | mongo admin -u deploy_admin -p $DEPLOY_PW --host $epLogHyb --quiet | sed '1,2d' | tr -d '\n' | sed 's/""/","/g')

echo -e "Delete the stale agents from all machine* collections in endpoint-server?"
echo -e "There is ${RED}${BLD}NO RECOVERING${RST} this data once deleted, so be sure you want to do this"
read -p "    Type ${RED}${BLD}Delete${RST} if you want to continue: ${RED}${BLD}" DELETE
case $DELETE in
    Delete )    echo -e "Deleting:\n$agentIDs\n"

                #delete from machinedetail collection
                echo -e "use endpoint-server\ndb.machinedetail.remove({\$and:[{\"_id\":{\$in:$agentIDs}},{\"agentStatus.lastSeenTime\":{\$lt:ISODate(\"$olderThanTime\")}}]})" | mongo admin -u deploy_admin -p $DEPLOY_PW --host $epLogHyb --quiet

                #delete from machinefile collection
                echo -e "use endpoint-server\ndb.machinefile.remove({\$and:[{\"agentId\":{\$in:$agentIDs,{\"agentStatus.lastSeenTime\":{\$lt:ISODate(\"$olderThanTime\")}}]}})" | mongo admin -u deploy_admin -p $DEPLOY_PW --host $epLogHyb --quiet

                #delete from machinefilescore collection
                echo -e "use endpoint-server\ndb.machinefilescore.remove({\$and:[{\"agentId\":{\$in:$agentIDs,{\"agentStatus.lastSeenTime\":{\$lt:ISODate(\"$olderThanTime\")}}]}})" | mongo admin -u deploy_admin -p $DEPLOY_PW --host $epLogHyb --quiet

                #delete from machinefilestage collection
                echo -e "use endpoint-server\ndb.machinefilestage.remove({\$and:[{\"agentId\":{\$in:$agentIDs,{\"agentStatus.lastSeenTime\":{\$lt:ISODate(\"$olderThanTime\")}}]}})" | mongo admin -u deploy_admin -p $DEPLOY_PW --host $epLogHyb --quiet

                #delete from machinehistory collection
                echo -e "use endpoint-server\ndb.machinehistory.remove({\$and:[{\"machineAgentId\":{\$in:$agentIDs,{\"agentStatus.lastSeenTime\":{\$lt:ISODate(\"$olderThanTime\")}}]}})" | mongo admin -u deploy_admin -p $DEPLOY_PW --host $epLogHyb --quiet

                #delete from machineidentity collection
                echo -e "use endpoint-server\ndb.machineidentity.remove({\$and:[{\"_id\":{\$in:$agentIDs,{\"agentStatus.lastSeenTime\":{\$lt:ISODate(\"$olderThanTime\")}}]}})" | mongo admin -u deploy_admin -p $DEPLOY_PW --host $epLogHyb --quiet
                ;;

    * )         echo -e "\nNo Action will be taken\nPrinting to STDOUT what the actual delete commands will look like\n"

                #just print out the mongo command to delete from machinedetail collection
                echo -e "use endpoint-server - db.machinedetail.remove({\$and:[{\"_id\":{\$in:$agentIDs}},{\"agentStatus.lastSeenTime\":{\$lt:ISODate(\"$olderThanTime\")}}]})\n"

                #just print out the mongo command to delete from machinefile collection
                echo -e "use endpoint-server - db.machinefile.remove({\$and:[{\"agentId\":{\$in:$agentIDs,{\"agentStatus.lastSeenTime\":{\$lt:ISODate(\"$olderThanTime\")}}]}})\n"

                #just print out the mongo command to delete from machinefilescore collection
                echo -e "use endpoint-server - db.machinefilescore.remove({\$and:[{\"agentId\":{\$in:$agentIDs,{\"agentStatus.lastSeenTime\":{\$lt:ISODate(\"$olderThanTime\")}}]}})\n"

                #just print out the mongo command to delete from machinefilestage collection
                echo -e "use endpoint-server - db.machinefilestage.remove({\$and:[{\"agentId\":{\$in:$agentIDs,{\"agentStatus.lastSeenTime\":{\$lt:ISODate(\"$olderThanTime\")}}]}})\n"

                #just print out the mongo command to delete from machinehistory collection
                echo -e "use endpoint-server - db.machinehistory.remove({\$and:[{\"machineAgentId\":{\$in:$agentIDs,{\"agentStatus.lastSeenTime\":{\$lt:ISODate(\"$olderThanTime\")}}]}})\n"

                #just print out the mongo command to delete from machineidentity collection
                echo -e "use endpoint-server - db.machineidentity.remove({\$and:[{\"_id\":{\$in:$agentIDs,{\"agentStatus.lastSeenTime\":{\$lt:ISODate(\"$olderThanTime\")}}]}})\n"
                ;;
esac

 


Mr. Mongo

ChrisIchelson
Occasional Contributor
Occasional Contributor

‎2021-05-07 06:45 PM

Thank you Josh!  I just fired this response to the prospect.  Looking for good news in return.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.