Endpoint Log Hybrid ConfigurationEndpoint Log Hybrid Configuration
This topic provides the high-level tasks required to configure the Endpoint Log Hybrid.
| Tasks | Description |
|---|---|
| Install the Endpoint Log Hybrid |
For a physical host: See Install Endpoint Log Hybrid topic under Post Installation Tasks on Physical Host Installation Guide For a virtual host: See Install Endpoint Log Hybrid topic under Step 5. Post Installation Tasks on Virtual Host Setup Guide. |
| Configure one or more Endpoint Log Hybrids |
For a physical host: See Configuring Multiple Endpoint Log Hybrids topic under Post Installation Tasks on Physical Host Installation Guide For a virtual host: See Configuring Multiple Endpoint Log Hybrids topic under Step 5. Post Installation Tasks on Virtual Host Setup Guide. |
|
Add hosts to the Endpoint Log Hybrid |
For a physical host: See Add Hosts to the Endpoint Log Hybrid topic under Post Installation Tasks on Physical Host Installation Guide For a virtual host: See Add Hosts to the Endpoint Log Hybrid topic under Step 5. Post Installation Tasks on Virtual Host Setup Guide. |
| Deploy Application and ESA Rules | See Deploying Endpoint Application Rules and ESA Correlation Rules. |
| Configuring Metadata Forwarding |
Similar to logs and packets, you can view Endpoint metadata in the Navigate and Events view. You can also generate reports and alerts for the Endpoint data. By default, the Endpoint Meta option is disabled. The agent must be installed with the Endpoint Meta option enabled to forward metadata. |
| Install Agents on Hosts |
The Endpoint agent installer is generated using the Packager tab under After the agent is installed, it appears on the Hosts view. By default, the Endpoint data is posted for the first time. To collect subsequent Endpoint data, you have to either schedule a scan or perform ad hoc scan. It retrieves data, such as drivers, processes, DLLs, files (executables), services, autoruns, security information, anomalies, system configurations, and scripts found on the host. Note: If a Windows host has proxy setup enabled and configured, the Endpoint agent communicates to the Endpoint server through proxy. If a host has both Automatic (Auto detect and Setup Script) and Manual proxy settings enabled and configured, the order of precedence is as follows: |
|
Install and Configure the Relay Server |
|
| 3rd Party Scan | Configure 3rd party scans like YARA and OPSWAT. See Configure YARA and Configure OPSWAT |
|
Permissions |
Grant or Revoke role permissions for the selected Endpoint Server. See Manage Role Permissions at Endpoint Server Level |
| Endpoint Sources | To efficiently manage and update endpoint agent configurations, you can group the agents, and manage their behavior using policies. |
|
Enable Reputation Status |
Reputation Status is enabled by default in an NetWitness Platform 11.3 and later deployment and displays information about the file. For troubleshooting, see the Live Services Guide. |
|
Risk Score |
Risk Score is calculated and obtained from NetWitness Respond for hosts and files. For more information, see the NetWitness Respond Configuration Guide. |
| Configuring Data Retention Policy |
Define data retention policies to optimally store and manage the Endpoint data based on the age of the Endpoint data or the storage size. By default, 30 days of agent data is retained. |
| Managing Inactive Agents |
By default, agents (including all the collected Endpoint data) that have not communicated with the Endpoint Server for 90 days will be automatically deleted. |
| Configure Retention Policy for Downloaded Files | Define retention policy to optimally store and manage the downloaded data such as system dump, process dump, files, and MFT. By default, 90 days of data is retained. |
|
Investigate Endpoint data |
You can investigate the Endpoint data in the Hosts and Files views. For more information, see the NetWitness Endpoint User Guide. |
