NetWitness Community

Yes

Endpoint Sources - PoliciesEndpoint Sources - Policies

Note: The information in this topic applies to NetWitness Version 11.3 and later.

The (Admin) > Endpoint Sources view contains two tabs: Groups and Policies.

Workflow

What do you want to do?

User Role	I want to ...	Show me how
Administrator	create new groups	Create a Group
Administrator	edit groups	Edit a Group
Administrator	edit ranking	Managing Groups
Administrator	delete groups	Delete a Group
Administrator	view default policies*	Default Agent Endpoint (EDR) Policy
Administrator	create an EDR policy*	Create an EDR Policy
Administrator	create a Windows Log policy*	Create a Windows Log Policy
Administrator	create a File Log policy*	Create a File Log Policy
Administrator	edit policies*	Edit a Policy
Administrator	delete policies*	Delete a Policy

*You can perform this task in the current view

Create Policy

Below is an example of the Create Policy dialog. The table describes the information and options in the Create Policy dialog.

Field	Description
Policy Type	Displays the type for the policy. Available options are Agent Endpoint, Agent File Logs, and Agent Windows Logs.
Policy Name	Name of the policy. The name should be unique.
Policy Description	Description of the policy. Description should not exceed 8000 characters.

Panels for Log File PolicyPanels for Log File Policy

There are two panels for defining the parameters for an Agent Log File Policy: Define Connection Settings and Define File Policy Settings.

Define Connection Settings

Below is an example of Define Connection Settings panel. The table describes the information and available options.

Field	Description
Collect File Logs	If enabled, the log file collection capability of the agent is activated. Logs are collected and forwarded to the NetWitness as they are generated. If disabled, no defined event source logs are collected. Note: This option must be enabled for any file event sources to be collected.
Send Test Log	If enabled, a sample log is sent to the configured server when the policy is loaded to test connectivity. This allows to test the configuration before standard logs are available. By default, this option is disabled.
Primary Log Decoder / Log Collector	The primary Log Decoder or Log Collector to which the collected file logs will be forwarded.
Secondary Log Decoder / Log Collector	If the primary Log Decoder or Log Collector is not reachable, collected file logs are forwarded to the secondary Log Decoder or Log Collector. Note: The NetWitness cannot detect failures when UDP protocol is used.
Protocol	Select the transport protocol that is used to forward the collected file logs to the NetWitness servers. The following options are available: SSL: Recommended, but also the most resource-intensive option. TCP: Sends the logs in clear text over a reliable TCP connection. May be acceptable within a corporate network. UDP: Sends the log in clear text over a non-guaranteed UDP connection. This is the least resource intensive option. Note: Resource intensity is dependent upon the Log Decoder, since there is only a single connection per agent.
Advanced Configuration
Throttle Network Bandwidth	Use this setting to limit network bandwidth that the Agent uses to connect to NetWitness. This setting is disabled by default: click Enabled to turn it on, and then enter a value in kilobits per second.If not set, Agent does not do any network throttling.If set to a positive value x, agent limits network bandwidth to x kbps.
Advanced Setting	Caution: It is strongly recommended not to use this setting unless advised to do so by NetWitness.

Define File Policy Settings

Field	Description
Log File Type	From the drop-down menu, select the type of event source to be monitored. The list of available event source is based on all the event source types defined on your NetWitness. You can add event source types using the Live Services module. For details, see "Find and Deploy Live Resources" in the Live Services Management Guide.
Collect Logs	If enabled, log files for this file type instance are collected and forwarded to the NetWitness. File collection must be enabled on each source applying this policy for these specific logs to be collected.
On First Connect	Determines whether the NetWitness Agent collects all logs or only newly created logs located in the specified paths upon initial collection. In both cases, new logs are collected. Note: Historical logs cannot be collected after an agent has begun collecting logs.
Log File Path	One or more paths to be used by the agent to locate the log files. Represents the location of the log files to be read. Note: The Path value cannot end at a directory—the final portion of the path must represent a file name or set of files (using wildcard characters). You can use wildcards for both files and directories. Each source is limited to entry of 16 paths. This setting must include a path and a file spec. For example: C:\Program Files\apache-tomcat-\logs\.log. In this case, the file spec is all files with a ".log" extension in the specified path. If you cannot use wildcards to specify multiple files, you can add additional paths to accommodate the differences in path locations on a specific endpoint agent. This might be due to installation locations or version information. Only the paths with valid locations and files on the specific endpoint agent are used, and the others are ignored. For many event source types, there is a default path. If so, you only need to enter a path if the log files are not stored in the standard directory for that event source type. Note: This can be a standard Windows pathname (such as C:\Program Files\Apache\error_logs\logfile.log) or a UNC (Universal Naming Convention) pathname (\\host-name\share-name\file-path). For more details about UNC paths, see Endpoint Sources - Policies below.
Exclusion Filters	An optional list of regex patterns which can be used to filter out any logs that match the patterns. Each separate filter should be entered on a new line. Each source is limited to 16 exclusion filters. Note: Each filter needs to be entered as a valid regex string, or the system does not allow you to save it.
Advanced Settings
Source Alias	Optionally, enter a hostname, IPv4 or IPv6 address to identify individual sources. This is recommended when there are two or more sources of the same type on the same server: For example, a server that runs two instances of Apache web server. Note: This value only rarely needs to be entered. One example is if you have more than one Web Server, and they are running different Apache servers. Note the following: If you enter a value for this parameter, the event source is applicable to a single Endpoint server. This optional address or hostname is included in the meta for any logs originating from this source. This can be used by analysts to assist in identifying the source. Set a value for this parameter if two sources of the same event source type are configured in the same policy. This setting is not commonly needed: it is only useful if the policy is only applied to a single endpoint.
File Encoding	Specifies the type of character encoding of the log files. If Local Encoding is selected, the NetWitness Agent uses the default encoding of the Windows machine upon which it is running. This setting must match the encoding of the log files, or they will not be processed correctly. Note: UTF-8/ASCII is recommended (and the default). UTF-8 is a super-set of ASCII Note that all logs are re-encoded to UTF-8 before being sent to the NetWitness.

For a list of the currently supported types, see Currently Supported File Log Event Source Types.

Define Policy Panel for Agent Endpoint PolicyDefine Policy Panel for Agent Endpoint Policy

Below is an example of Define policy panel. The table describes the information and options for Agent Endpoint policy:

Settings	Description
Scan Schedule
Run Scheduled Scan	Run a scheduled scan if you want to receive regular snapshots from a host. Scan snapshots provide detailed information about processes and files loaded on the memory. By default, this option is disabled. You can also run a manual scan from the Hosts view. Note: The following scan schedule options are available only when the scan schedule is enabled. The values entered are specific to the agent time zone.
Effective Date	Date when the policy takes effect. If you do not want this policy to take effect as soon as it is applied to a group and published, set an effective date that is in the future. By default, this is set to the current date.
Scan Frequency	Determines how often the scheduled scan runs on a host. By default, this is set to every week. Every network is different and the frequency should balance the needs of the analysts for current data, availability to review the data, and how systems deal with the load of the generated data. Select Days or Weeks: Days: Select the number of days of the scan frequency. You can set a schedule to scan every n days, where n is 1, 2, 3, 4, 5, 6, 10, 15, or 20. For example, to scan every third day, select 3. Weeks: Select after how many weeks the policy scan should be initiated and on which day of the week the policy scan should initiate. For example, to scan every other Wednesday, choose 2 and W.
Start Time	Time when the scheduled scan starts to run on a host. By default, this is set to 9:00. This is the local host time, meaning that scans across a global network will not run all at once. Note that the time is in 24 hour format. To set a time of 7:30 PM, select 19:30.
CPU Maximum	Amount of CPU the agent can use to run scheduled scans on physical hosts. By default, the value is set at 25%. Increasing the CPU maximum increases the speed of scan snapshot retrieval. Drag the slider to specify the maximum CPU usage by the created policy. Minimum value is 5%. Use the slider to select the maximum CPU processing power to use for the scan. Note that the higher the percentage, the less CPU is available for other tasks on the host.
Virtual Machine Maximum	Amount of CPU the agent can use to run scheduled scans on virtual machines. By default, the value is set at 10%. Increasing the virtual machine maximum value increases the speed of scan snapshot retrieval. Drag the slider to specify the maximum Virtual Machine usage by the policy. Minimum value is 5%. Use the slider to select the maximum CPU processing power to use for the scan. Keep in mind that the higher the percentage, the less CPU is available for other tasks running on the virtual machine.
Agent Mode
Monitoring mode	Allows you to specify whether an agent should operate in Insights (free) or Advanced mode (license). By default, it is set to Advanced.
(Version 11.5 and Later) Expanded Network Visibility	Enables network tracking and monitoring on Windows hosts in Insights mode. Note: For network tracking in Insights mode, verify that the Windows Management Instrumentation (WMI) service should be enabled. It also optimizes the frequency of agents sending network events for network packet correlation for both Insights and Advanced modes. By default, this option is disabled.
Scan Settings
Scan Master Boot Record	Includes Master Boot Record (MBR) details in scheduled scans. By default, this option is disabled. This can help to identify when an operating system boot sequence is compromised. However, not all modifications to the MBR are malicious, as they could be made to provide encryption or enforce licensing of certain legitimate software.
Auto Scan New Systems When Added	Automatically scans when a new host is added. By default, this option is disabled. If this option is disabled, no snapshot data is displayed in the Hosts view until a manual or scheduled scan is run on these hosts. Existing hosts will not be affected. Note: Enabling this option on a new deployment when this policy is applied to a large number of hosts may result in a large number of simultaneous scans that cause performance degradation.
Download Settings
Automatic File Download	Automatically download the files to the NetWitness Endpoint Server based on the file size and signature. If a file is present on multiple hosts or multiple Endpoint Servers, only one instance of the file is downloaded. By default this option is enabled.
Automatic Memory DLL Downloads	From version 11.6.1 and higher, all memory DLLs that are detected during a scan, will be automatically downloaded regardless of the file size. This option is enabled by default.
Signature	Limits the download of files based on the signature. The options are : Exclude All Signed - Downloads all the unsigned files to the NetWitness Endpoint Server and exclude all the signed files. Exclude only Microsoft and Apple signed - Downloads all the unsigned files and exclude the files signed by Microsoft and Apple. Include All- Downloads all the signed and unsigned files. Note: . In case of Linux, Exclude all signed and Exclude Microsoft and Apple signed options will download the files that are not part of any installed RPMs or files which are part of RPM but the hashes does not match with RPM.
File Size Limit	Limits the download of files based on the file size. The File size should be between 1 KB and 10 MB. By default, file size lesser than or equal to 1 MB are downloaded automatically.
Response Action Settings
Blocking	Allows an analyst to prevent the execution of a malicious file on any host running an Advanced mode agent. By default, this option is disabled. File blocking will not be enforced if it is disabled by policy, which might be desirable to ensure that there are no performance side effects on systems where CPU or IO performance is critical. Note: Blocking is only supported on Windows agent (in Advanced mode) with NetWitness version 11.3 and later.
Network Isolation	Allows an analyst to block hosts that are compromised from connecting to the network. This controls the spread of an attack and help analyze the malware behavior after the network isolation. All attempted network connections are monitored and reported to the Endpoint Server. By default, this option is disabled. Note: Network isolation is only supported on Windows agent (in Advanced mode) with NetWitness version 11.4 and later.
Endpoint Server Setting
Endpoint Server	Displays all available Endpoint servers in the deployed. Note: If you do not select an Endpoint Server, the agent uses the default Endpoint Server that is configured during packager generation.
Server Alias (Optional)	The optional server alias allows you to enter an alternative hostname or IP address on which the server can be reached in the case that agents need to go through a NAT or similar in order to reach the Endpoint Server.
HTTPS Port	Port number used for HTTPS communication. By default, the port is set to 443. If you want to change this port, make sure that it matches the server configuration. If you enter the wrong port, the agents can no longer communicate with the Endpoint server and the system will be non-functional.
HTTPS Beacon Interval	Determines how often an agent can communicate with the Endpoint server over HTTPS. By default, the value is set to 15 minutes. The default method of beaconing is UDP. Beaconing is used as a method of keep-alive to know if a host is online and to allow hosts to respond faster than the fallback HTTPS beacon time.
UDP Port	Port number used for UDP communication. By default, the port is set to 444. If you want to change this port, make sure that it matches the server configuration. Entering the wrong port results in loss of functionality and effects performance.
UDP Beacon Interval	Determines how often an agent can communicate with the Endpoint server over UDP. By default, the value is set to 30 seconds.

Define Policy Panel for Windows Logs Policy

The table describes the information and options for Agent Windows Logs policy:

Settings	Description
Windows Log Collection	If enabled, logs from the Windows hosts are collected and forwarded to the NetWitness Platform. By default, this option is disabled.
Send Test Log	If enabled, a sample log is sent to the configured server when the policy is loaded to test connectivity. This allows to test the configuration before standard logs are available. By default, this option is disabled.
Primary Log Decoder / Log collector	Primary NetWitness Log Decoder or Log Collector to which the collected Windows logs are forwarded.
(Optional) Secondary Log Decoder / Log collector	If the primary Log Decoder or Log Collector is not reachable, the collected Windows logs are forwarded to the secondary Log Decoder or Log Collector. Note: NetWitness cannot detect failures when UDP protocol is used.
Protocol	Select whether TLS, TCP, or UDP transport protocol is used to forward the collected Windows logs to the NetWitness Platform servers. By default, the protocol is TCP.
Channel Filters	Configure which Windows Log events to collect by selecting a channel, filter condition, and the relevant event IDs. You can either select common channels, such as Security or System from the drop-down list, or create custom channels by entering the channel name. By default, all events are collected from a selected channel. To collect a subset of events from that channel replace 'ALL' with the relevant Event IDs. Select INCLUDE if only events with the listed Event IDs should be collected or select EXCLUDE to collect all events except for these events.
Advanced Configuration
Throttle Network Bandwidth	Use this setting to limit network bandwidth that the Agent uses to connect to NetWitness. This setting is disabled by default: click Enabled to turn it on, and then enter a value in kilobits per second. If not set, Agent does not do any network throttling. If set to a positive value x, agent limits network bandwidth to x kbps.
Advanced Setting	Caution: It is strongly recommended not to use this setting unless advised to do so by NetWitness.

1	Toolbar Create New: Lets you create a new policy. For more information, see Managing Policies. Publish: Publishes the selected policy. Edit: Lets you edit the details of an existing policy. For more information, see Edit a Policy. Delete: Deletes the selected policies permanently. For more information, see Delete a Policy.
2	Filter Panel Filters: You can filter policies based on Policy Type and Publication Status. To hide, click the icon at the top-right of the panel. To display if hidden, click the icon in the toolbar. Reset: Removes the currently applied filter criteria. For more information, see Filter Policies.
3	Policies List Panel Policy View. Displays the policy details: Policy name: Name of the policy. Applied to groups: Lists the group to which this policy is applied. Policy description: Displays the first portion of the description. Policy type: Displays the policy type: Agent Endpoint, Agent File Logs, or Agent Windows Logs. Publication Status: Status of the policy: Published or Unpublished. You can also sort on any column. If you mouse over a column header, a sort icon is displayed: . Click the icon to sort by the selected column.
4	Policy Details Panel Displays the properties of the selected policy. Note: To view the Properties panel for a policy, click the Policy Name.