Managing Policies

Note: The information in this topic applies to NetWitness version 11.3 and later. Policies are not applicable on standalone agents.

You can view, edit, filter, and delete policies, as detailed in the following sections:

View Policy Details

To view properties of the selected policy:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Endpoint Sources.

  2. In the left panel, select the Policies tab. The details, such as policy name, applied to groups, policy description, source type, and publication status are displayed. For more details on these columns, see Endpoint Sources - Policies.

  3. Click the row to view details about selected policy in right pane.

    policyprops.png

Filter Policies

The Filters Panel allows you to filter the list of displayed policies, based on the source type. You can filter on any combination of the following:

  • Agent Endpoint
  • Agent File Logs
  • Agent Windows Logs

Additionally, you can filter based on publication status:

  • Published: Policies that are published to use.
  • Unpublished: Policies that are saved but not published.
  • Unpublished Edits: Policies that are previously published and edited later and saved, but not published.

netwitness_filterpolicies.png

The Filters panel can be hidden or displayed:

  • To hide, click the netwitness_icon-close.png icon at the top-right of the panel.
  • To display if hidden, click the netwitness_ic-filter4.png icon in the toolbar.

Click Reset Filters to remove the currently applied filtering criteria.

Edit a Policy

You can edit the settings of the default Agent Endpoint and custom policies. The default Agent Windows Log policy cannot be edited.

Note: For the default EDR policy, you cannot edit the source type, policy name, and policy description. However, you can edit the details in the Define Policy panel.

To edit a policy:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Endpoint Sources, and select the Policies tab.

  2. Select a policy and click Edit.

    editpolicy.png

  3. Edit the policy details as required.

  4. Do one of the following:
    • Click Save and Close to save the changes and return to the Policies view. The policy will be listed under the Unpublished Edits category.
    • Click Publish Policy to publish the changes.

Delete a Policy

To delete a policy:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Endpoint Sources.

  2. Click the Policy tab. The available policies are displayed.

    editpolicy.png

  3. Select one or more policies and click Delete.

    The confirmation message is displayed.

  4. In the Delete Policies dialog, click Delete Policy(ies) to permanently delete the selected policies.

Conflict Resolution

An endpoint can be in more than one group, and can thus have more than one Agent Endpoint, Agent File Logs, or Windows Logs policy applied to it. In this case, there may be conflicting settings that could be applied to the endpoint.

For example, an endpoint that is in two Groups could have two, different File Log policies applied to it. In this case, some of the settings could have conflicting values. The value that is actually applied to the endpoint is determined by the highest-ranked policy that contains a value for that setting.

For example, assume there is an endpoint that has 2 Agent File Log policies applied to it:

  • LF Policy One: Log File Type is webgateway, and File Encoding is set to UTF-8
  • LF Policy Two: Log File Type is webgateway, and File Encoding is set to Local Encoding

How NetWitness assumes the webgateway logs are encoded is dependent upon which policy is ranked higher:

  • If Policy One is ranked higher than Policy Two, NetWitness treats the logs as having UTF‑8 encoding.
  • If Policy Two is ranked higher than Policy One, NetWitness treats the logs as having Local Encoding.

For an example using EDR policies, see Simulation Examples, which shows how you can preview the settings that would be applied before actually changing any policy rankings.