Creating Groups and Policies

Note: The information in this topic applies to NetWitness Version 11.3 and later.

The following sections provide instructions on how to create groups and policies.

Create a Group

To create a group:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Endpoint Sources view.

  2. In the left panel, select the Groups tab.

    groups.png

  3. In the toolbar, click Create New.

  4. In the New Group panel, enter a group name and group description, and click Next.

    identifygroup.png

  5. Specify the logical statements that define the condition for an agent to be included in the group. Each logical statement consists of: parameter, operator, and values to match.

    definegroup.png

    • In the Include source if ___ of the conditions are met field, select either all or any.

    • For each logical statement, select the required options:

      Item Description

      Parameter

      The parameter can be OS Type, OS Description, Host Name, IPv4, IPv6, Machine OU, Tag, and Subnet.

      • OS Type, OS Description, Host Name: The value you enter should reference hardware or virtual machines that are running endpoint agents.

      • IPv4 or IPv6: Enter valid IP addresses as either ranges or as a set of IP addresses to include or exclude.

      • Machine OU: Enter a valid Machine OU(Organizational Unit) name.

      • Tag: Enter a valid tag that already exists.

      • Subnet: Enter a valid Subnet mask.

      Note: If you do not want to include certain IP addresses, use the Not in operator, and enter the IP addresses separated by a space or a comma.

      Operator

       

      The choice of values is dependent upon the parameter you chose. For example, if your parameter is OS Type, the only operator available is in.

       

      Value or values to match

      The value or values to match. For the OS Type parameter, you can choose one or more values from the drop-down list. For all other parameters, you can enter free-form text.

      Note: Although you can enter any text for values, the system validates your entries when you attempt to proceed to another screen, and will not allow you to proceed until values are valid.

  6. Continue adding conditions until you have completely specified the new group. After you have added all conditions, click Next to proceed.
  7. (Optional) Click Apply Policies and select the source type from the drop-down list.

    Policies with the selected source type are displayed below Available Policies.

    Select a policy by clicking netwitness_ic-circled-plus.png. Skip this step if you want to apply a policy to the group at a later time.

    applypolicy.png

    Note: You can attach only one policy per source type to a group. That is, you cannot attach more than one Agent Endpoint policy to a single group, nor more than one Agent Windows Logs policy.

    For more information on creating policies, see Create an EDR Policy, Create a Windows Log Policy, or Create a File Log Policy.

  8. Do one of the following:

    • Click Save and Close to save the settings and return to the Groups view. The publication status is displayed as Unpublished in the Groups view.

      Note: You can select an unpublished group and click Publish to publish a group.

    • Click Publish Now to publish the group.

Construct a Policy

When you create a policy, you should keep in mind the way groups and Agents can inherit values from other policies. The simplest way to construct a policy is to set values for all of the available settings for that policy type. If you do this, you can assign the policy to one or more groups, and all of the agents in those groups can receive the settings defined in the policy itself.

However, you do not need to set all possible available settings within a single policy. In the Group Ranking section, there are examples that show where values can come from, based on the ranking order.

Note: Remember that a group can have no more than one of each policy type assigned to it: it can be assigned 0 or 1 Agent Endpoint, Agent File Logs, and Agent Windows Logs policies.

If an agent is only a member of one group, that agent's settings are as follows:

  • If a value is set in the policy assigned to the group, that value is used.
  • If a value is not set in the policy assigned to the group, the value set in the default policy is used.

For agents that are members of multiple groups, it is a bit more complicated. For these agents, the settings are evaluated from highest priority member group (as set on the Edit Rankings page) to the lowest priority member group. If a parameter is set in a higher group, it is not overwritten, event if the same parameter is also set in a lower group. For example, assume an Agent is part of three groups:

  • If a value is set in the highest ranked policy, the agent uses that value.
  • If a value is not set in the highest ranked policy, but is set in the second-highest-ranked policy, the agent uses the value from the second-highest-ranked policy.
  • If a value is not set in either the first- or second-highest ranked policy, but is set in the third-highest-ranked policy, the agent uses the value from the third-highest-ranked policy.
  • If a value is set in the highest-ranked policy and either or both of the other policies, the value is taken from the highest-ranked policy.
  • If a value is not set in any of the three policies assigned to the agent, the agent uses the value set in the default policy.

Create an EDR Policy

While creating a policy, note the following:

  • Whenever you choose a setting, it is added to the Selected Settings panel.
  • To clear any of your selected settings, click netwitness_ic-circled-x.png to remove that setting.
  • At any point in the wizard, you can choose Save and Close, so that you can return to complete the policy at a later time.

To create an EDR policy:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Endpoint Sources.
  2. Click Policies. The available policies are displayed.

    policies.png

  3. Click Create New to add a new policy.
  4. In the New Policy panel, do the following:

    identifypolicy.png

    • Select Agent Endpoint as the source type from the drop-down list.
    • Enter the policy name.
    • Enter a description for the policy.
  5. Click Next.
  6. Click netwitness_ic-circled-plus.png to select a setting from list of Available Settings. After you click, the specific setting is moved under the Selected Settings panel. You need to enter the required values for the selected settings. For details, see Define Policy Panel for Agent Endpoint Policy.

    Note: You do not need to set all possible available settings within a single policy. The complete list of settings for an agent is derived from one or more groups to which that agent belongs. This is described in more detail in Construct a Policy.

    defineEDRpcy.png

    • In the Scan Schedule category, enable Run Scheduled Scan to configure the scan, and set any of the available parameters based on your needs. For more details, see Define Policy Panel for Agent Endpoint Policy.
    • In the Agent Mode category, you can set the following:
      • Select the monitoring mode of the agent - Insights or Advanced.
      • Select Expanded Network Visibility:

        Prerequisite

        Note: For Expanded Network Visibility to work, ensure the service user account used for aggregating Endpoint Log Decoder data to Endpoint Concentrator is assigned with the decoder.manage permission. For more information on how to assign roles and permissions, see "Services Security View - Aggregation Role" in the Hosts and Services Getting Started Guide for NetWitness Platform.

        • To enable network tracking and monitoring on Windows hosts in Insights mode.

        Note: Reports UDP connections for Windows 10 version 1803 in Insights mode.

        • To optimize the frequency of agents sending network events for both Insights and Advanced modes.
        • The endpoint agents should have the Expanded Network Visibility option enabled for enriched network events from NetWitness Platform packet deployment with endpoint data. In the Events View > Hosts tab, the endpoint data related to the network event selected will be automatically displayed if it exists. For more information, see "Host Information" in the Investigate User Guide.

        Note: For network tracking in Insights mode, verify that the Windows Management Instrumentation (WMI) service is enabled.

    • In the Scan Settings category, you can enable either or both of the following actions:

      • Enable Scan Master Boot Record to include Master Boot Record (MBR) details in scheduled scans.
      • Enable Auto Scan New Systems When Added to automatically queue a scan for any host that does not have any snapshot data
    • In the Download Settings category, you can set the following:

      • Enable Automatic File Downloads to automatically download files based on the Signature and file size. By default this option is enabled.
      • Enable Automatic Memory DLL Downloads to automatically download all the memory DLLs that are detected during a scan. By default this option is enabled.

      • Select the Signature type to limit the download of files based on the signature (not available for Linux systems).
      • Specify the File Size Limit to limit the download of files based on the file size. The file size limit should be between 1 KB - 10 MB.
    • In the Response Action Settings category you can enable or disable the following actions:

      • Enable Blocking to prevent the execution of a malicious file on any host.
      • Enable Network Isolation to provide an option to isolate a compromised host during investigation.
    • In the Endpoint Server Settings, configure your server:

      • Add the Endpoint server that the agent will communicate from the drop-down list.

        Note: If you do not select an Endpoint Server, the agent uses the default Endpoint Server that is configured during packager generation.

      • (Optional) Enter an alternative hostname or IP address.

      • Enter the HTTPS port used for communication.
      • Specify the HTTPS beacon interval.
      • Enter the UDP port used for communication.
      • Specify the UDP beacon interval.
      • Advanced Setting - For NetWitness Support staff only.

        IMPORTANT: It is strongly recommended not to use the Advanced Configuration unless advised to do so by NetWitness.

  7. Do one of the following:

    • Click Save and Close to save the settings and return to the Policies view. The policy will be listed under the Unpublished category.
    • Click Publish Policy to publish the policy.

Create a Windows Log Policy

To create a Windows Log policy:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Endpoint Sources.
  2. Click Policies. The available policies are displayed.
  3. Click Create New to add a new policy.
  4. In the New Policy panel, do the following:

    defineWLpcy.png

    • Select Agent Windows Logs as the source type from the drop-down list.
    • Enter the policy name.
    • Enter a description for the policy.
  5. Click Next.
  6. Click netwitness_ic-circled-plus.png to select a setting from list of Available Settings. After you click a setting it is moved under the Selected Settings panel. You need to enter the required values for the selected settings.

    Note: You do not need to set all possible available settings within a single policy. The complete list of settings for an agent is derived from one or more groups to which that agent belongs. This is described in more detail in Construct a Policy.

    windowspolicy.png

      • Select Windows Log Collection to enable Windows Log collection. By default, this option is disabled.
      • Enable Send Test Log to send a test log. By default, this option is disabled.
      • Select Primary Log Decoder / Log collector to forward logs from the drop-down list.
      • (Optional) Select Secondary Log Decoder / Log collector to forward logs from the drop-down list.

        Note: When the Endpoint Agent is configured to use the UDP protocol and the Primary Log Decoder/ Remote Log Collector is not reachable, the secondary Log Decoder or Log Collector is not functional. The logs are not forwarded to the secondary Log Decoder or Log Collector when the primary is down, thus resulting in the event loss.

      • Select Protocol from the drop-down list. The available options are UDP, TCP, and TLS. By default, the protocol is TLS.
      • Add Channel Filters and select the channels from which the logs are collected from the drop-down list. You can add or remove a channel filter and specify individual Event IDs.

     

    • Advanced Configuration

      • Throttle Network Bandwidth: use this setting to limit network bandwidth that the Agent uses to connect to NetWitness. This setting is disabled by default: click Enabled to turn it on, and then enter a value in kilobits per second.

        • If not set, Agent does not do any network throttling.
        • If set to a positive value x, agent limits network bandwidth to x kbps.
      • Advanced Setting - For NetWitness Support staff only.

        IMPORTANT: It is strongly recommended not to use the Advanced Configuration unless advised to do so by NetWitness.

  7. Do one of the following:

    • Click Save and Close to save the settings and return to the Policies view. The policy will be listed under the Unpublished category.
    • Click Publish Policy to publish the policy.

Create a File Log Policy

Note: You cannot create File Log policies while the system is in mixed mode. Until all Endpoint servers are updated to 11.4, the Agent File Logs options on the policy create, assign policy, and edit ranking pages are disabled.

To create a File Log policy:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Endpoint Sources.
  2. Click Policies. The available policies are displayed.
  3. Click Create New to add a new policy.

  4. In the New Policy panel, do the following:

    defineFileLogPolicy.png

    • Select Agent File Logs as the source type from the drop-down list.
    • Enter the policy name.
    • Enter a description for the policy.
  5. Click Next.
  6. Click netwitness_ic-circled-plus.png to select a setting from list of Available Settings. After you click a setting, the specific setting is moved under the Selected Settings panel. You need to enter the required values for the selected settings.

    Note: You do not need to set all possible available settings within a single policy. The complete list of settings for an agent is derived from one or more groups to which that agent belongs. This is described in more detail in Construct a Policy.

    filePolicy.png

    • Enable Collect File Logs to collect file logs on endpoints assigned to this policy. By default, this option is disabled.
    • Enable Send Test Log to send a test log. By default, this option is disabled.
    • Select Primary Log Decoder / Log collector to forward file logs from the drop-down list.
    • (Optional) Select Secondary Log Decoder / Log collector to forward file logs from the drop-down list.

      Note: When the Endpoint Agent is configured to use the UDP protocol and the Primary Log Decoder/Remote Log Collector is not reachable, the secondary Log Decoder or Log Collector is not functional. The logs are not forwarded to the secondary Log Decoder or Log Collector when the primary is down, thus resulting in the event loss.

    • Select Protocol from the drop-down list. The available options are UDP, TCP, and TLS. By default, the protocol is TCP.
    • Advanced Configuration

      • Throttle Network Bandwidth: use this setting to limit network bandwidth that the Agent uses to connect to NetWitness. This setting is disabled by default: click Enabled to turn it on, and then enter a value in kilobits per second.

        • If not set, Agent does not do any network throttling.
        • If set to a positive value x, agent limits network bandwidth to x kbps.
      • Advanced Setting - For NetWitness Support staff only.

        IMPORTANT: It is strongly recommended not to use the Advanced Configuration unless advised to do so by NetWitness.

  7. Click Next, and add the file type or types for the policy.

    1. Select a log file type from the list, then click Add Selected File Type to configure its log collection settings.

      filePolicyType1.png

      For a list of currently supported event source types, see Endpoint Sources - Policies.

    2. Choose values for the available parameters.

      filePolicyType2.png

      • Collect Logs: Select Enable or Disable.
      • On First Connect: Choose whether or not to collect older, historical data, or just new data. The default setting is to collect new data only.

        Note: New data is data that is collected starting from when you configure log collection for the specified event source.

      • (Optional) Log File Path: Add a path for where the log files are stored. This is only necessary if the log files are not stored in the standard directory for the selected event source type. To add a path, click Add Path and enter a pathname.

        Note: This can be a Universal Naming Convention (UNC) pathname.
        (\\host-name\share-name\file-path).

        Click Add Path again to add another path. You can add as many paths as you like.

      • Exclusion Filters: You can enter a newline-separated list of exclusion filters, which specify log files from which NetWitness should not be collecting data.

        Note: The filter needs to be entered as a valid regex string, or the system will not allow you to save it.

      • Advanced Settings: note that most users do not need to set these parameters.

        • Source Alias: For most installations, this value is not needed. Use this to specify a unique event source name, in the case you have multiple event sources of the same type, for example two IBM WebSphere MQ event sources in the same NetWitness installation.
        • File Encoding: Select a type of file encoding. You can choose from a wide variety of encodings. The default value is UTF-8/ASCII.

      For more details on the available parameters, see Panels for Log File Policy.

    3. You can add more file types to the policy. After you have added all your file types, proceed to the next step.
  8. Do one of the following:

    • Click Save and Close to save the settings and return to the Policies view. The policy will be listed under the Unpublished category.
    • Click Publish Policy to publish the policy.

Replace Windows SFTP Agents

Note that you might want to replace the SFTP Agent for Windows with the NetWitness Endpoint Agent for collection from file event sources. If so, perform the following procedure:

  1. Using the File Collection Policy wizard (as described below), configure file collection for your event sources.
  2. Verify that collection is working.
  3. On each of your event sources, stop the SFTP service.