Change Policy Ordering for Groups

An endpoint agent can be included in multiple groups. And these groups can have different policies applied to them. In this case, you can edit the ordering or ranking of policies, to specify a hierarchy for your policies.

Edit Ranking

To edit the ordering or ranking of a group:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Endpoint Sources.
  2. Select the Groups tab and click Edit Ranking.

  3. Select one of the following source type for the drop-down list:

    • Agent Endpoint to rank the groups associated with Agent Endpoint type policies.
    • Agent Windows Logs to rank the groups associated with Agent Windows Log type policies
    • Agent Log Files to rank the groups associated with agents that are using File Collection.

    ranking_chooseType.png

  4. Click Next.

    The Ranking view is displayed:

    rankingSim_01.png

    You can simulate your policy settings and how they affect the endpoints within their groups. This gives you the ability to preview how your changes to the ranking will affect the policy settings applied to each hypothetical agent.

  5. You can manipulate the sliders to simulate different options. You can select the slider in the Simulate column for each group into which a hypothetical agent would fall, and drag it to the right to simulate turning on that policy.

    This image shows all policies being simulated:

    rankingSim_02.png

  6. Reorder your groups as necessary.

    1. Select anywhere within a group's row.
    2. Drag the group up or down to change the priority. Priority decreases from top to bottom.
    3. Repeat moving groups until they are ordered as you prefer.

    Note: To move any group to the top, select the group and click Set Top Ranking.

  7. As you change the rankings for your groups, you can preview how the policy settings would change based on your new rankings. For example, assume each of the following scenarios:

    • If you have a hypothetical agent that belongs in group 1, simulate only group 1 to see which policies would affect that agent.
    • If you have a hypothetical agent that belongs in group 1 and group 2, simulate both group 1 and group 2 to see how policies would be applied for that agent.
  8. After you have specified the optimal ranking order, you can publish the new ranking.

Simulation Examples

This section contains simulation examples for Agent Endpoint policies and Agent Log policies. Note that Windows policies have the same behavior as Agent Endpoint policies.

Agent Endpoint Policies Examples

The Simulated Source Settings panel shows each individual policy setting, along with the governing policy for each setting.

Examine AE Policy 1, AE Policy 2 and AE Policy 3 to see which values are set in those policies.

AE Policy 1 has Agent Mode set:

netwitness_12.1_rankingsim_policy1_1122.png

AE Policy 2 has a scan schedule set, as well as limiting the CPU maximum to 18%:

netwitness_12.1_rankingsim_policy2_1122.png

AE Policy 3 has Agent Mode set (to Insights), and sets the UDP Port to 454:

netwitness_12.1_rankingsim_policy3_1122.png

No Settings Applied

When none of the policies are simulated, you can see that the Default EDR Policy governs all behavior.

netwitness_12.1_rankingsim_04_1122.png

Simulate a Single Policy

When you select the AE001 Group, you can see that the values set in AE Policy 1 govern the behavior Agent Mode, as well as the Default EDR Policy being used for all unset parameters.

netwitness_12.1_rankingsim_05_1122.png

Simulate Multiple Policies

When you select multiple groups and policies, you can see the effects of each policy, based on the current ranking.

netwitness_12.1_rankingsim_06_1122.png

You can see that Agent Mode is set to Insights: this is because AE Policy 3 is ranked above AE Policy 1, so the higher ranked policy's setting is used. None of the other parameters are set in more than a single policy, so for those, each policy's setting is used. Since AE Policy 1 only has Agent Mode set—and AE Policy 3 ranks higher and sets a different value—AE Policy 1 does not govern any of the EDR settings. And finally, for parameters not set in any of the simulated policies, the Default EDR Policy settings are used.

File Log Policies Simulation Example

The collection of parameter values into a complete policy works a bit differently for File Log policies than for EDR or Windows policies. To determine which values are applied from which policies, note the following:

  • Each event source type acts as a separate setting. That is, if a policy has values for both Apache and Access Manager, for example, each of those event source types is treated as a separate set of values.
  • When an endpoint inherits values, it might not only get values from the highest ranked policy that has a value set. It might, for example, inherit Apache values from one policy, and Access Manager settings from another.
  • If you consider a set of File Log policies that all include settings for the same event sources, then they behave the same as EDR and Windows policies.

Consider the following example, where there are three log file policies—two with Apache source types and one with MS SQL event source type.

  • File policy Apache Source 1:

    netwitness_fileconflict_apachesource1_details.png

  • File policy Apache Source 2:

    netwitness_fileconflict_apachesource2_details.png

  • File policy Microsoft SQL Source:

    netwitness_fileconflict_mssql_details.png

Examine two of the possible ranking orders:

  • Simulate policies 1: Apache Source 1, 2: Apache Source 2. Note that in this case, the MS SQL policy is not simulated.

    netwitness_fileconflict_as1_topranked.png

    In this case, all Apache settings for the group are inherited from the Apache Source 1 policy.

  • Move the Apache Source 2 policy higher than Apache Source 1 policy, and add the Microsoft SQL Source policy. Simulate policies 1: Apache Source 2, 2: Microsoft SQL Source, 3: Apache Source 1.

    netwitness_fileconflict_as2_topranked.png

    In this case, all Apache settings for the group are inherited from the Apache Source 2 policy, and groups also get the MS SQL settings.

So, the Apache settings are inherited from the highest ranked Apache policy only, but the source settings as a whole are combined to include settings from each event source type.

The SIMULATE Slider

The slider has two positions:

  • On: netwitness_simulationslideron.png
  • Off: netwitness_simulationslideroff.png

If the simulate slider is ON for a policy, that policy's values are factored into the complete set of governing settings. If the slider is OFF for a policy, the setting for that policy have no effect on the list of the governing settings.