Endpoint Sources - Policies

Note: The information in this topic applies to NetWitness Version 11.3 and later.

The netwitness_adminicon_25x22.png (Admin) > Endpoint Sources view contains two tabs: Groups and Policies.

Workflow

netwitness_eppolicies.png

What do you want to do?

User Role I want to ... Show me how
Administrator

create new groups

Create a Group

Administrator edit groups

Edit a Group

Administrator edit ranking

Managing Groups

Administrator delete groups

Delete a Group

Administrator

view default policies*

Default Agent Endpoint (EDR) Policy
Administrator

create an EDR policy*

Create an EDR Policy
Administrator

create a Windows Log policy*

Create a Windows Log Policy
Administrator create a File Log policy* Create a File Log Policy
Administrator

edit policies*

Edit a Policy
Administrator

delete policies*

Delete a Policy

*You can perform this task in the current view

Related Topics

Quick Look

Below is an example of the Policies tab:

policy_hlp.png

1

Toolbar

  • Create New: Lets you create a new policy. For more information, see Managing Policies.
  • Publish: Publishes the selected policy.
  • Edit: Lets you edit the details of an existing policy. For more information, see Edit a Policy.
  • Delete: Deletes the selected policies permanently. For more information, see Delete a Policy.
2

Filter Panel

  • Filters: You can filter policies based on Policy Type and Publication Status.

    To hide, click the netwitness_icon-close.png icon at the top-right of the panel. To display if hidden, click the netwitness_ic-filter4.png icon in the toolbar.

  • Reset: Removes the currently applied filter criteria.

For more information, see Filter Policies.

3

Policies List Panel

Policy View. Displays the policy details:

  • Policy name: Name of the policy.
  • Applied to groups: Lists the group to which this policy is applied.
  • Policy description: Displays the first portion of the description.
  • Policy type: Displays the policy type: Agent Endpoint, Agent File Logs, or Agent Windows Logs.
  • Publication Status: Status of the policy: Published or Unpublished.

You can also sort on any column. If you mouse over a column header, a sort icon is displayed: netwitness_ic-colsortasc2.png. Click the icon to sort by the selected column.

4

Policy Details Panel

Displays the properties of the selected policy.

Note: To view the Properties panel for a policy, click the Policy Name.

Create Policy

Below is an example of the Create Policy dialog. The table describes the information and options in the Create Policy dialog.

identifypolicy.png

Field Description

Policy Type

Displays the type for the policy. Available options are Agent Endpoint, Agent File Logs, and Agent Windows Logs.

Policy Name

Name of the policy. The name should be unique.

Policy Description

Description of the policy. Description should not exceed 8000 characters.

Panels for Log File Policy

There are two panels for defining the parameters for an Agent Log File Policy: Define Connection Settings and Define File Policy Settings.

Define Connection Settings

Below is an example of Define Connection Settings panel. The table describes the information and available options.

defineLogPolicy.png

Field Description

Collect File Logs

If enabled, the log file collection capability of the agent is activated. Logs are collected and forwarded to the NetWitness as they are generated. If disabled, no defined event source logs are collected.

Note: This option must be enabled for any file event sources to be collected.

Send Test Log

If enabled, a sample log is sent to the configured server when the policy is loaded to test connectivity. This allows to test the configuration before standard logs are available. By default, this option is disabled.

Primary Log Decoder / Log Collector

The primary Log Decoder or Log Collector to which the collected file logs will be forwarded.

Secondary Log Decoder / Log Collector

If the primary Log Decoder or Log Collector is not reachable, collected file logs are forwarded to the secondary Log Decoder or Log Collector.

Note: The NetWitness cannot detect failures when UDP protocol is used.

Protocol

Select the transport protocol that is used to forward the collected file logs to the NetWitness servers. The following options are available:

  • SSL: Recommended, but also the most resource-intensive option.
  • TCP: Sends the logs in clear text over a reliable TCP connection. May be acceptable within a corporate network.
  • UDP: Sends the log in clear text over a non-guaranteed UDP connection. This is the least resource intensive option.

Note: Resource intensity is dependent upon the Log Decoder, since there is only a single connection per agent.

Advanced Configuration

Throttle Network Bandwidth

Use this setting to limit network bandwidth that the Agent uses to connect to NetWitness. This setting is disabled by default: click Enabled to turn it on, and then enter a value in kilobits per second.If not set, Agent does not do any network throttling.If set to a positive value x, agent limits network bandwidth to x kbps.netwitness_throttlebandwitdh.png

 

Advanced Setting

Caution: It is strongly recommended not to use this setting unless advised to do so by NetWitness.

Define File Policy Settings

filePolicyType2.png

Field Description

Log File Type

From the drop-down menu, select the type of event source to be monitored.

The list of available event source is based on all the event source types defined on your NetWitness. You can add event source types using the Live Services module. For details, see "Find and Deploy Live Resources" in the Live Services Management Guide.

Collect Logs

If enabled, log files for this file type instance are collected and forwarded to the NetWitness. File collection must be enabled on each source applying this policy for these specific logs to be collected.

On First Connect

Determines whether the NetWitness Agent collects all logs or only newly created logs located in the specified paths upon initial collection. In both cases, new logs are collected.

Note: Historical logs cannot be collected after an agent has begun collecting logs.

Log File Path

One or more paths to be used by the agent to locate the log files. Represents the location of the log files to be read.

Note: The Path value cannot end at a directory—the final portion of the path must represent a file name or set of files (using wildcard characters). You can use wildcards for both files and directories.

Each source is limited to entry of 16 paths. This setting must include a path and a file spec. For example: C:\Program Files\apache-tomcat-*\logs\*.log. In this case, the file spec is all files with a ".log" extension in the specified path.

If you cannot use wildcards to specify multiple files, you can add additional paths to accommodate the differences in path locations on a specific endpoint agent. This might be due to installation locations or version information. Only the paths with valid locations and files on the specific endpoint agent are used, and the others are ignored.

For many event source types, there is a default path. If so, you only need to enter a path if the log files are not stored in the standard directory for that event source type.

Note: This can be a standard Windows pathname (such as C:\Program Files\Apache\error_logs\logfile.log) or a UNC (Universal Naming Convention) pathname (\\host-name\share-name\file-path). For more details about UNC paths, see Endpoint Sources - Policies below.

Exclusion Filters

An optional list of regex patterns which can be used to filter out any logs that match the patterns. Each separate filter should be entered on a new line. Each source is limited to 16 exclusion filters.

Note: Each filter needs to be entered as a valid regex string, or the system does not allow you to save it.

Advanced Settings

Source Alias

Optionally, enter a hostname, IPv4 or IPv6 address to identify individual sources. This is recommended when there are two or more sources of the same type on the same server: For example, a server that runs two instances of Apache web server.

Note: This value only rarely needs to be entered. One example is if you have more than one Web Server, and they are running different Apache servers.

Note the following:

  • If you enter a value for this parameter, the event source is applicable to a single Endpoint server.
  • This optional address or hostname is included in the meta for any logs originating from this source. This can be used by analysts to assist in identifying the source.
  • Set a value for this parameter if two sources of the same event source type are configured in the same policy.
  • This setting is not commonly needed: it is only useful if the policy is only applied to a single endpoint.

File Encoding

Specifies the type of character encoding of the log files. If Local Encoding is selected, the NetWitness Agent uses the default encoding of the Windows machine upon which it is running.

This setting must match the encoding of the log files, or they will not be processed correctly.

Note: UTF-8/ASCII is recommended (and the default). UTF-8 is a super-set of ASCII

Note that all logs are re-encoded to UTF-8 before being sent to the NetWitness.

For a list of the currently supported types, see Currently Supported File Log Event Source Types.

Define Policy Panel for Agent Endpoint Policy

Below is an example of Define policy panel. The table describes the information and options for Agent Endpoint policy:

MemDLLAuto2.png

Settings Description

Scan Schedule

Run Scheduled Scan

Run a scheduled scan if you want to receive regular snapshots from a host. Scan snapshots provide detailed information about processes and files loaded on the memory. By default, this option is disabled.
You can also run a manual scan from the Hosts view.

Note: The following scan schedule options are available only when the scan schedule is enabled.
The values entered are specific to the agent time zone.

Effective Date

Date when the policy takes effect. If you do not want this policy to take effect as soon as it is applied to a group and published, set an effective date that is in the future. By default, this is set to the current date.

Scan Frequency

Determines how often the scheduled scan runs on a host. By default, this is set to every week. Every network is different and the frequency should balance the needs of the analysts for current data, availability to review the data, and how systems deal with the load of the generated data.

Select Days or Weeks:

  • Days: Select the number of days of the scan frequency. You can set a schedule to scan every n days, where n is 1, 2, 3, 4, 5, 6, 10, 15, or 20. For example, to scan every third day, select 3.
  • Weeks: Select after how many weeks the policy scan should be initiated and on which day of the week the policy scan should initiate. For example, to scan every other Wednesday, choose 2 and W.

Start Time

Time when the scheduled scan starts to run on a host. By default, this is set to 9:00. This is the local host time, meaning that scans across a global network will not run all at once. Note that the time is in 24 hour format. To set a time of 7:30 PM, select 19:30.

CPU Maximum

Amount of CPU the agent can use to run scheduled scans on physical hosts. By default, the value is set at 25%. Increasing the CPU maximum increases the speed of scan snapshot retrieval.

Drag the slider to specify the maximum CPU usage by the created policy. Minimum value is 5%. Use the slider to select the maximum CPU processing power to use for the scan. Note that the higher the percentage, the less CPU is available for other tasks on the host.

Virtual Machine Maximum

Amount of CPU the agent can use to run scheduled scans on virtual machines. By default, the value is set at 10%. Increasing the virtual machine maximum value increases the speed of scan snapshot retrieval.

Drag the slider to specify the maximum Virtual Machine usage by the policy. Minimum value is 5%. Use the slider to select the maximum CPU processing power to use for the scan. Keep in mind that the higher the percentage, the less CPU is available for other tasks running on the virtual machine.

Agent Mode

Monitoring mode

Allows you to specify whether an agent should operate in Insights (free) or Advanced mode (license). By default, it is set to Advanced.

(Version 11.5 and Later) Expanded Network Visibility

Enables network tracking and monitoring on Windows hosts in Insights mode.

Note: For network tracking in Insights mode, verify that the Windows Management Instrumentation (WMI) service should be enabled.

It also optimizes the frequency of agents sending network events for network packet correlation for both Insights and Advanced modes. By default, this option is disabled.

Scan Settings

Scan Master Boot Record

Includes Master Boot Record (MBR) details in scheduled scans. By default, this option is disabled. This can help to identify when an operating system boot sequence is compromised. However, not all modifications to the MBR are malicious, as they could be made to provide encryption or enforce licensing of certain legitimate software.

Auto Scan New Systems When Added

Automatically scans when a new host is added. By default, this option is disabled. If this option is disabled, no snapshot data is displayed in the Hosts view until a manual or scheduled scan is run on these hosts. Existing hosts will not be affected.

Note: Enabling this option on a new deployment when this policy is applied to a large number of hosts may result in a large number of simultaneous scans that cause performance degradation.

Download Settings

Automatic File Download Automatically download the files to the NetWitness Endpoint Server based on the file size and signature. If a file is present on multiple hosts or multiple Endpoint Servers, only one instance of the file is downloaded. By default this option is enabled.
Automatic Memory DLL Downloads From version 11.6.1 and higher, all memory DLLs that are detected during a scan, will be automatically downloaded regardless of the file size. This option is enabled by default.

Signature

Limits the download of files based on the signature. The options are :

  • Exclude All Signed - Downloads all the unsigned files to the NetWitness Endpoint Server and exclude all the signed files.
  • Exclude only Microsoft and Apple signed - Downloads all the unsigned files and exclude the files signed by Microsoft and Apple.
  • Include All- Downloads all the signed and unsigned files.

Note: . In case of Linux, Exclude all signed and Exclude Microsoft and Apple signed options will download the files that are not part of any installed RPMs or files which are part of RPM but the hashes does not match with RPM.

File Size Limit Limits the download of files based on the file size. The File size should be between 1 KB and 10 MB. By default, file size lesser than or equal to 1 MB are downloaded automatically.

Response Action Settings

Blocking

Allows an analyst to prevent the execution of a malicious file on any host running an Advanced mode agent. By default, this option is disabled. File blocking will not be enforced if it is disabled by policy, which might be desirable to ensure that there are no performance side effects on systems where CPU or IO performance is critical.

Note: Blocking is only supported on Windows agent (in Advanced mode) with NetWitness version 11.3 and later.

Network Isolation

Allows an analyst to block hosts that are compromised from connecting to the network. This controls the spread of an attack and help analyze the malware behavior after the network isolation. All attempted network connections are monitored and reported to the Endpoint Server. By default, this option is disabled.

Note: Network isolation is only supported on Windows agent (in Advanced mode) with NetWitness version 11.4 and later.

Endpoint Server Setting

Endpoint Server

Displays all available Endpoint servers in the deployed.

Note: If you do not select an Endpoint Server, the agent uses the default Endpoint Server that is configured during packager generation.

Server Alias (Optional)

The optional server alias allows you to enter an alternative hostname or IP address on which the server can be reached in the case that agents need to go through a NAT or similar in order to reach the Endpoint Server.

HTTPS Port

Port number used for HTTPS communication. By default, the port is set to 443.

If you want to change this port, make sure that it matches the server configuration. If you enter the wrong port, the agents can no longer communicate with the Endpoint server and the system will be non-functional.

HTTPS Beacon Interval

Determines how often an agent can communicate with the Endpoint server over HTTPS. By default, the value is set to 15 minutes. The default method of beaconing is UDP. Beaconing is used as a method of keep-alive to know if a host is online and to allow hosts to respond faster than the fallback HTTPS beacon time.

UDP Port

Port number used for UDP communication. By default, the port is set to 444.

If you want to change this port, make sure that it matches the server configuration. Entering the wrong port results in loss of functionality and effects performance.

UDP Beacon Interval

Determines how often an agent can communicate with the Endpoint server over UDP. By default, the value is set to 30 seconds.

Define Policy Panel for Windows Logs Policy

The table describes the information and options for Agent Windows Logs policy:

windowspolicy.png

Settings Description

Windows Log Collection

If enabled, logs from the Windows hosts are collected and forwarded to the NetWitness Platform. By default, this option is disabled.

Send Test Log If enabled, a sample log is sent to the configured server when the policy is loaded to test connectivity. This allows to test the configuration before standard logs are available. By default, this option is disabled.
Primary Log Decoder / Log collector Primary NetWitness Log Decoder or Log Collector to which the collected Windows logs are forwarded.
(Optional) Secondary Log Decoder / Log collector

If the primary Log Decoder or Log Collector is not reachable, the collected Windows logs are forwarded to the secondary Log Decoder or Log Collector.

Note: NetWitness cannot detect failures when UDP protocol is used.

Protocol Select whether TLS, TCP, or UDP transport protocol is used to forward the collected Windows logs to the NetWitness Platform servers. By default, the protocol is TCP.

Channel Filters

Configure which Windows Log events to collect by selecting a channel, filter condition, and the relevant event IDs. You can either select common channels, such as Security or System from the drop-down list, or create custom channels by entering the channel name. By default, all events are collected from a selected channel.

To collect a subset of events from that channel replace 'ALL' with the relevant Event IDs. Select INCLUDE if only events with the listed Event IDs should be collected or select EXCLUDE to collect all events except for these events.

Advanced Configuration

Throttle Network Bandwidth

Use this setting to limit network bandwidth that the Agent uses to connect to NetWitness. This setting is disabled by default: click Enabled to turn it on, and then enter a value in kilobits per second.

  • If not set, Agent does not do any network throttling.
  • If set to a positive value x, agent limits network bandwidth to x kbps.

netwitness_throttlebandwitdh.png

Advanced Setting

Caution: It is strongly recommended not to use this setting unless advised to do so by NetWitness.