Endpoint Config: Create Groups and Policies

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on May 17, 2019
Version 4Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.3 and later.

The following sections provide instructions on how to create groups and policies.

Create a Group

To create a group:

  1. Go to ADMIN > Endpoint Sources view.

  2. In the left panel, select the Groups tab.

    Groups tab

  3. In the toolbar, click Create New.

  4. In the New Group panel, click Identify Group, and enter a group name and group description, and click Next.

    Identify Group

  5. Click Define Group and specify the logical statements that define the condition for an agent to be included in the group. Each logical statement consists of: parameter, operator, and values to match.

    Define group

    • In the Include source if ___ of the conditions are met field, select the appropriate conditions - all or any.

    • For each logical statement, select the required options:

                             
      ItemDescription
      Parameter

      The parameter can be OS Type, OS Description, Host Name, IPv4, or IPv6.

      • OS Type, OS Description, Host Name: The value you enter should reference hardware or virtual machines that are running endpoint agents.
      • IPv4 or IPv6: Enter valid IP addresses as either ranges or as a set of IP addresses to include or exclude.

      Note: If you do not want to include certain IP addresses, use the Not in operator, and enter the IP address separated by a space or a comma.

      Operator

       

      The choice of values is dependent upon the parameter you chose. For example, if your parameter is OS Type, the only operator available is in.

       

      Value or values to match

      The value or values to match. For the OS Type parameter, you can choose one or more values from the drop-down list. For all other parameters, you can enter free-form text.

      Note: Although you can enter any text for values, the system validates your entries when you attempt to proceed to another screen, and will not allow you to proceed until values are valid.

  6. Click Add Condition to add another condition.

  7. Click Next to proceed.

  8. (Optional) Click Apply Policy(ies) and select the source type from the drop-down list. Policies with the selected source type are displayed below Available Policies. You can either assign default policies or custom policies. For more information on creating policies, see Create an EDR Policy and Create a Windows Log Policy.

    Select a policy by clicking Select policy. Skip this step if you want to apply the policy later to the group.

    Apply policy

    Note: You can attach only one policy per source type to a group. That is, you cannot attach more than one Agent Endpoint policy to a single group, nor more than one Agent Windows Logs policy.

  9. Do one of the following:
    • Click Save and Close to save the settings and return to the Groups view. The publication status is displayed as Unpublished in the Groups view.

      Note: You can select an unpublished group and click Publish to publish a group.

    • Click Publish Now to publish the group.

Create an EDR Policy

While creating a policy (either an EDR policy or a Windows Log policy), note the following:

  • Whenever you choose a setting, it is added to the Selected Settings panel.
  • To clear any of your selected settings, click Cancel to remove that setting.
  • At any point in the wizard, you can choose Save and Close, so that you can return to complete the policy creation at a later time.

To create an EDR policy:

  1. Go to ADMIN > Endpoint Sources.

  2. Click Policies. The available policies are displayed.

    Policies tab

  3. Click Create New to add a new policy.

  4. In the New Policy panel, select Identify Policy, and do the following:

    Identify policy

    • Select Agent Endpoint as the source type from the drop-down list.
    • Enter the policy name.
    • Enter a description for the policy.
  5. Click Next.

  6. Click select and expand button to select a setting from list of Available Settings. Once clicked, the specific setting is moved under the Selected Settings panel. You need to enter the required values for the selected settings. For details, see Define Policy Panel for Agent Endpoint Policy.

    Define EDR policy

    • In the Scan Schedule category:

      - Enable Run Schedule Scan to configure the scan.

      Note: The following scan schedule options are available only when the scan schedule is enabled.

      - Set the date when the scan schedule should be effective.

      - Select the recurrence (days or weeks) and frequency of the scan.

      - Select the start time of the scan.

      - Set the CPU Maximum value using the slider.

      - If the agents are running on virtual machines, set the Virtual Machine Maximum value using the slider.

    • Add Agent Mode to select the monitoring mode of the agent - Insights or Advanced.
    • In the Scan Settings category:

      - Enable Scan Master Boot Record to include Master Boot Record (MBR) details in scheduled scans.

      - Enable Auto Scan New Systems When Added to automatically queue a scan for any host that does not have any snapshot data.

    • Enable Response Action Settings to prevent the execution of a malicious file on any host.
    • In the Endpoint Server Settings:

      • Add the Endpoint server that the agent will communicate from the drop-down list.

        Note: If you do not select an Endpoint Server, the agent uses the default Endpoint Server that is configured during packager generation.

      • (Optional) Enter an alternative hostname or IP address.

      • Enter the HTTPS port used for communication.
      • Specify the HTTPS beacon interval.
      • Enter the UDP port used for communication.
      • Specify the UDP beacon interval.
    • Advanced Configuration - For RSA Support staff only.

      IMPORTANT: It is strongly recommended not to use the Advanced Configuration unless advised to do so by RSA Support staff.

  7. Do one of the following:
    • Click Save and Close to save the settings and return to the Policies view. The policy will be listed under the Unpublished category.
    • Click Publish Policy to publish the policy.

Create a Windows Log Policy

To create a Windows Log policy:

  1. Go to ADMIN > Endpoint Sources.
  2. Click Policies. The available policies are displayed.
  3. Click Create New to add a new policy.

  4. In the New Policy panel, select Identify Policy, and do the following:

    Define Windows Log policy

    • Select Agent Windows Logs as the source type from the drop-down list.
    • Enter the policy name.
    • Enter a description for the policy.
  5. Click Next.
  6. Click select and expand button to select a setting from list of Available Settings. Once clicked, the specific setting is moved under the Selected Settings panel. You need to enter the required values for the selected settings.

    Define Windows Log policy

    • Select Windows Log Collection to enable Windows Log collection. By default, this option is disabled.

    • Enable Send Test Log to send a test log. By default, this option is disabled.

    • Select Primary Log Decoder / Log collector to forward logs from the drop-down list.

    • (Optional) Select Secondary Log Decoder / Log collector to forward logs from the drop-down list.

      Note: When the Endpoint Agent is configured to use the UDP protocol and the Primary Log Decoder/ Remote Log Collector is not reachable, the secondary Log Decoder or Log Collector is not functional. The logs are not forwarded to the secondary Log Decoder or Log Collector when the primary is down, thus resulting in the event loss.

    • Select Protocol from the drop-down list. The available options are UDP, TCP, and TLS. By default, the protocol is TCP.

    • Add Channel Filters and select the channels from which the logs are collected from the drop-down list. You can add or remove a channel filter and specify individual Event IDs.

  7. Do one of the following:
    • Click Save and Close to save the settings and return to the Policies view. The policy will be listed under the Unpublished category.
    • Click Publish Policy to publish the policy.

Previous Topic:Endpoint Sources
Next Topic:Manage Groups
You are here
Table of Contents > Create Groups and Policies

Attachments

    Outcomes