NetWitness Endpoint

Note: The information in this topic applies to NetWitness Version 11.1 and later.

About NetWitness Endpoint

The NetWitness Platform provides an endpoint detection and response solution that continuously monitors the behavior of all endpoints in and outside the network to provide deep visibility and analysis of executables and processes. It helps to detect new, unknown, and targeted attacks, highlights suspicious activity for investigation, exposes anomalous behaviors, and determines the scope of compromise to help analysts respond to advanced threats faster. During investigation, the analyst can use the visual indication of threat level to assess the risk of endpoints.

As part of this solution, NetWitness introduces Endpoint Log Hybrid that:

  • Collects and manages endpoint (host) data from Windows, Mac, and Linux hosts.
  • Collect log files and Windows logs from Windows hosts.
  • Generates metadata to correlate endpoint data with sessions from other events sources, such as logs and network.

Analysts can:

  • Perform instant scans for detailed insights of the host behavior at any point in time.
  • Analyze the scope of the attack across hosts and network through integrated metadata.

  • Quickly triage and focus their investigation by managing suspect and legitimate files.
  • Perform multiple checks of file legitimacy to determine if a file is malicious, including checking file certificates and hashes.

  • Blacklist malicious files and then block them across all hosts in the network to prevent future execution of this file on any host.

  • Download Files, Master File Table (MFT), system dump, and process dump for forensic investigation.
  • Isolate host from the network to safely investigate possible threats within the host.

Endpoint Log Hybrid receives data from the Endpoint Agents. The following services run on the Endpoint Log Hybrid:

  • Endpoint Server: Manages data received and stores it in a database. It parses the events, generates metadata, and forwards it to the Log Decoder through protobuf. You can deploy up to 6 Endpoint Log Hybrid hosts. For a consolidated view of all endpoint data from multiple Endpoint Log Hybrid hosts, install the Endpoint Broker. You can add only one broker in a NetWitness platform deployment which serves up to 6 Endpoint Log Hybrid hosts. Multiple Endpoint Log Hybrids are required to share certificates by copying them from the primary Endpoint Log Hybrid to the secondary Endpoint Log Hybrid using the SCP command.

    Note: You may need to install your Endpoint Server on separate hardware from your Log Decoder.

    If you are only using NW Platform for collecting and analyzing logs, you can co-locate your Endpoint Server on the same physical hardware as your Log Decoder. For more information, see the Prepare Virtual or Cloud Storage topic in the Storage Guide for NetWitness Platform.

    If you exceed these guidelines, the amount of disk space usage and CPU might become so high as to create alarms for your Endpoint Server in Health and Wellness. If you notice this, and are running both log collection and EDR scans, you can use Throttling to control the amount of data coming into the Log Decoder.

    If that doesn't help, NetWitness recommends that you move your Endpoint Server onto separate hardware from that used by your Log Decoder.


  • Log Decoder: Captures data from the Endpoint Server and processes the metadata.

  • Concentrator: Aggregates metadata from the Log Decoder and makes it available for all upstream components like Investigate, Reporting Engine, Respond, and Event Stream Analysis similar to NetWitness Decoder and Concentrator.

  • Log Collector: Collects logs from all event sources that are supported for the log collection in the NetWitness Platform.

In addition to the above services, the Endpoint Log Hybrid leverages the following services:

  • Event Stream Analysis (ESA): Creates alerts from ESA rules for Endpoint data.
  • Endpoint Broker: Provides a consolidated view of all Endpoint servers in a multiple Endpoint Log Hybrid deployment.

Endpoint Agent Data Flow

The following figure shows the endpoint data flow from the agent to the NetWitness:


The Hosts and Services Getting Started Guide provides the information you need to understand and install all the NetWitness services.

Basic configuration involves:

  • Installing agents on hosts
  • Deploying the ESA rules from the Endpoint Rule Bundle
  • Creating groups and policies
  • Configuring Endpoint metadata forwarding and retention policies
  • Defining health and wellness policies to monitor Endpoint Server
  • Installing and configuring Relay Server

You can configure the required settings in the NetWitness user interface under Administration Services Config view ( netwitness_adminicon_25x22.png (Admin) > Services > Endpoint Server > Config).