Endpoint Sources - Groups

Note: The information in this topic applies to NetWitness Version 11.3 and later.

The netwitness_adminicon_25x22.png (Admin) > Endpoint Sources view contains two tabs: Groups and Policies.

Workflow

netwitness_eppolicies.png

What do you want to do?

User Role I want to ... Show me how

Administrator

create new groups*

Create a Group

Administrator

edit groups*

Edit a Group

Administrator

edit ranking*

Managing Groups

Administrator

delete groups*

Delete a Group

Administrator

view default policies

Default Agent Endpoint (EDR) Policy

Administrator

create an EDR policy

Create an EDR Policy

Administrator

create a Windows Log policy

Create a Windows Log Policy

Administrator

edit policies

Edit a Policy

Administrator

delete policies

Delete a Policy

*You can perform this task in the current view.

Related Topics

Quick Look

Below is an example of the Groups tab:

group_hlp.png

1

Toolbar

  • Create New: Lets you create a new group. For more information, see Create a Group
  • Edit Ranking: Lets you edit the ranking of groups. For more information, see Managing Groups
  • Publish: Publishes the selected group or groups.
  • Edit: Lets you edit the details of an existing group. For more information, see Edit a Group.
  • Delete: Deletes the selected group or groups permanently. For more information, see Delete a Group.
2

Filter Pane

  • Filters: You can filter groups based on Policy Type and Publication Status.

    To hide, click the netwitness_icon-close.png icon at the top-right of the panel. To display if hidden, click the netwitness_ic-filter4.png icon in the toolbar.

  • Reset: Removes the currently applied filter criteria.

For more information, see Filter Endpoint Groups.

3

Groups List Pane

  • Group name: Name of the group.
  • Source Count: Number of hosts that are currently members of the group.
  • Policies applied: Lists the policies applied to this group.
  • Group description: Description of the group.
  • Policy Types Applied: Type of policies applied to the group: Agent Endpoint, Agent File Logs, Agent Windows Logs, or any combination of these.
  • Publication Status: Status of the group - Published or Unpublished.

You can also sort on any column. If you mouse over a column header, a sort icon is displayed: netwitness_ic-colsortasc2.png. Click the icon to sort by the selected column.

4

Group Details Pane

Displays the properties of the selected group.

Note: Click the row to view the Properties panel for a group.

Create Group

Below is an example of the Create Group dialog. The table describes the information and options in the Create Group dialog.

identifygroup.png

Field Description

Group Name

Name of the group. The name should be unique.

Group Description

Description of the group and should not exceed 8000 characters.

Define Group

Below is an example of Define Group panel. The table describes the information and options in the Define Group panel:

definegroup.png

Field Description

Include source if ...of the conditions are met

Defines the conditions for an agent to be included in the group. Available options are all or any.

Parameter

The parameter can be OS Type, OS Description, Host Name, IPv4, IPv6, Machine OU, Tag, and Subnet.

  • OS Type - Type of operating system. Available options are: Windows, Linux, and MacOS.
  • OS Description - Description of the operating system. The description should not exceed 256 characters. Available operators are: is equal to, contains, start with, and ends with. For example, Microsoft Windows 10 Enterprise.
  • Host name - Name of the host. The host name can contain only alphanumeric characters. Available operators are: is equal to, contains, start with, ends with, and in. For example, DESKTOP-QQPDNG3.
  • IPv4 and IPv6 - IP address. Available operators are: between, in, not in, and between. For example, 10.40.15.220.
  • Machine OU - Name of the Machine OU. Available operators are: is equal to, contains. For example, OU=Win10, OU=Contractors, DC=corp, DC=com
  • Tag - Name of the tag that already exists. Available operators are: is equal to, contains, and in.
  • Subnet - The value of the Subnet Mask. Available operator is: in.

Note: If you do not want to include certain IP addresses, use the Not in operator, and enter the IP address separated by a space or a comma.

Operator

 

The choice of values is dependent upon the parameter you chose. For example, if your parameter is OS Type, the only operator available is in.

 

Value or values to match

The value or values to match. For the OS Type parameter, you can choose one or more values from the drop-down list. For all other parameters, you can enter free-form text.

Note: Although you can enter any text for values, the system validates your entries when you attempt to proceed to another screen, and will not allow you to proceed until values are valid.

Add condition

Lets you add another condition.

Apply Policies

Below is an example of Apply Policies panel. The table describes the information and options in the Apply Policies panel:

applypolicy.png

Field Description
Source Type Defines the source type for the group. Available options are Agent Endpoint and Agent Windows Logs.
Available Policies List the available policies associated with the source type.

Selected Policies

List the policies selected.

Add Another Source Type Lets you add another source type.

Save and Close

Saves the settings and closes the Create Group dialog.

Publish Now

Publishes the created group.

Ranking Groups

Below is an example of the Ranking Groups dialog. The table describes the information and options in the Ranking Groups dialog.

rankGroupsDialog.png

Field Description
Source Type Establishes ranking for the source type. Available options are Agent Endpoint and Agent Windows Logs.

Below is an example of the Edit Ranking panel.

rankGroupsPanel.png

From this panel, you can do the following:

  • Drag the group up or down to change the priority. Priority decreases from top to bottom.
  • Turn the Simulate slider on or off, to simulate your policy settings and how they affect the endpoints within their groups. For more details, see Simulation Examples.
  • Use the available buttons to perform actions:

    • Reset Ranking: Resets the ranking to the original order.
    • Set Top Ranking: Moves the selected group to the top.
    • Previous: Navigates to the Choose Source Type panel.
    • Publish Ranking: Lets you edit the details of an existing group. For more information, see Edit a Group.
    • Cancel: Discards the changes and returns to the Groups tab.