Endpoint Sources

Note: The information in this topic applies to NetWitness Version 11.3 and later.

The Endpoint agents deployed in your environment may be large in number and geographically distributed. To efficiently manage and update configurations automatically, agents can be organized into smaller subsets called Groups.

Groups

Groups can be created based on Machine OU, IP address (IPv4 and IPv6), host names, operating system type, and operating system description. You can create groups based on your requirements. For example, you can group all agents running on Windows 2016 Server and IP ranging from 10.40.10.1 to 10.40.10.200. For more information on creating groups, see Creating Groups and Policies.

Note: All agents that are not part of any group use the default policy settings.

Policies

To manage the behavior of agents in a group, you can apply a set of rules called Policies. The NetWitness supports three types of policies for endpoints: Agent Endpoint, Agent File Logs, and Agent Windows Logs policies. The following default policies are available on installation.

Note: NetWitness recommends that you review these default policies before deploying agents.

You can either assign the default policies to a group, modify the default policy, or create custom policies based on your organizational requirements.

Note: You cannot edit the default policy for Windows Logs nor for File Logs.

You can do the following through a policy:

  • Define the agent mode - Insights or Advanced
  • Configure scan schedule and settings
  • Configure automatic file download
  • Configure endpoint settings, such as which Endpoint server the agents should communicate, port details, and beacon intervals
  • Configure response actions such as blocking
  • Configure Windows and File Log collection

For example, you can create a policy to schedule scan and enable blocking. For more information on creating policies, see Create an EDR Policy, Create a File Log Policy, or Create a Windows Log Policy.

Group Ranking

When a group is created, a rank is associated with every group based on the creation order. If an agent belongs to multiple groups, to handle conflicting configurations, you can reorder the groups to change the ranking, and the policy associated with the highest ranked group takes precedence.

Example 1

A Server group contains 100 hosts with a default Agent Endpoint policy. Amongst these, if 20 hosts require further investigations, analyst can:

  1. Create a temporary group with a static list of these 20 hosts.
  2. Create or apply any policy to this group that will not impact any other hosts.
  3. Edit the ranking for the new group, moving to the top of the Ranking list (making sure it is above the existing Server group).

  4. After investigation is done, delete this group. The hosts are revalidated and assigned to the appropriate group based on the ranking.

Example 2

Case 1:

netwitness_grpolicy1_671x348.png

Each agent is a part of a unique group that is associated with a policy, where each policy has all settings S1, S2, S3, S4, and S5 defined. For example, Agent 2 is a part of the group Hardware, where all settings in the policy Hardware are applicable.

Case 2:

netwitness_grpolicy2_669x348.png

In the policy Hardware, S4 and S5 settings are not defined, and hence the agent 2 inherits settings S4 and S5 from the default policy.

Case 3:

netwitness_grpolicy3_674x341.png

  • Agent 2 is a part of the highest ranked group Hardware, and with the policy Hardware. The agent 2 inherits settings S3, S4, and S5 from the default policy as they are not defined in the policy Hardware.
  • Agent 3 is a part of Hardware, Software, and Engineering groups, and with the policy Software. The agent considers the settings S4 and S5 from the policy Software, and the remaining undefined settings are inherited as follows:
    • S1 and S2 from the policy Hardware, which is associated with the highest ranked group.
    • S3 from the policy Engineering, which is the next ranked group.
  • Agent 4 is a part of Hardware, Software, and Engineering groups, and with the policy Engineering.
    • Though settings S1 and S2 are defined in policy Engineering, the agent 4 considers the settings S1 and S2 from the policy Hardware as it is associated with the highest ranked group.

    • S4 and S5 from the policy Software, which is the associated with the next highest ranked group.
    • S3 from the policy Engineering.

The following are some of the key points:

  • If an agent is not assigned to any group, default policies are applied.
  • A policy can be assigned to multiple groups. However, a group can only have one policy of each type (Agent Endpoint and Agent Windows Logs).
  • An agent can belong to multiple groups. The policy is derived based on the ranking of the group as shown in the above example (case 3).
  • If all settings are defined in a single policy, and it is the highest ranked policy for an agent, no policy settings from other ranked groups are inherited (case 1).

  • If there are any undefined settings in the policy, the settings from the default policy is considered as shown in the example above (case 2 and 3).

  • If an agent falls into more than one group, its complete set of policy attributes is determined as follows:

    • It takes all settings from the highest ranked policy that applies.
    • Any settings that are not set in the highest ranked policy are taken from the next highest ranked policy that applies.
    • If there are still unset attributes, they are taken from the default policy.
    • If there are any conflicts, the higher ranked policy wins.

Example 3

Assume the following:

  • Agent A belongs to below two groups, Production Servers and All Windows Hosts.
  • The Production Servers group has the Schedule scan set and no blocking policy assigned, and it has the following settings:

    • Schedule Scan : Enabled
    • Effective Date: 2019-03-08
    • Start Time: 09:00
    • Scan Frequency: Every 1 week
    • CPU Maximum: 45 %
    • Virtual Machine Maximum: 20 %
    • Blocking: Disabled
  • The All Windows Hosts group has the EDR for All Windows policy applied, which has the following settings:

    • Scan Master Boot Record: Disabled
    • Blocking: Enabled
  • The Production Servers group is ranked higher than the All Windows Hosts group for EDR policies. Keep in mind that ranking only applies to policies of the same source type: that is, all EDR policies are ranked, and all Windows Logs policies are ranked separately.

Agent A gets its final policy configuration as per the ranking of the groups (and associated policies) to which it belongs:

  • The agent uses the schedule set in the Schedule scan set and no blocking policy.
  • Scan Master Boot Record is disabled, because that is set in the EDR for All Windows policy.
  • Blocking is disabled: since there is a conflict, the value in the higher ranked policy is used.
  • All other attributes are set based on values in the Default EDR policy.
  • Note that if you wanted Blocking to be enabled, you could change the group ranking so that All Windows Hosts is higher than Production Servers: in this case, Production Servers would win the conflict, and Blocking would be enabled for Agent A.

Default Agent Endpoint (EDR) Policy

When an agent is installed, it operates in an Insights mode until a policy is assigned. The following are the default EDR policy settings:

Settings Fields Default Value
Scan Schedule

Run Scheduled Scan

Disabled

Effective Date Current date

Scan Frequency

Every week

Start Time 09:00 (this is 9 AM)

CPU Maximum

25%

Virtual Machine Maximum

10%

Agent Mode

Monitoring mode

Advanced

Scan Settings

Scan Master Boot Record

Disabled

Auto Scan New Systems When Added

Disabled

File Download Settings

Automatic File Download Enabled

Automatic Memory DLL Download

Enabled

Signature

Exclude All Signed

File Size Limit 1 MB
Response Action Settings

Blocking Disabled

Network Isolation

Disabled

Endpoint Server Settings

Endpoint Server

The agent considers the default Endpoint Server that is configured during packager generation.

Server Alias (Optional)

HTTPS Port

443

HTTPS Beacon Interval

15 Minutes

UDP Port

444

UDP Beacon Interval

30 Seconds

Default Windows Log Policy

The following are the default Windows Log policy settings:

Settings Fields Default Value
Windows Log Settings Status Disabled
Protocol TLS
Send Test Log Disabled

Default File Log Policy

The following are the default File Log policy settings:

Settings Fields Default Value
File Log Settings Status Disabled
Protocol TLS
Send Test Log Disabled