Endpoint Config: Agent Modes

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on May 17, 2019
Version 4Show Document
  • View in full screen mode

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.3 and later.

In NetWitness Platform 11.3, the Endpoint agent can operate either in Insights or Advanced mode depending on the policy configuration. For more information on policy configuration, see the NetWitness Endpoint Configuration Guide. You can have both Insights and Advanced agents in a single deployment.

There is no license required for the Insights agent. However, you must procure a Throughput license for an Advanced agent. For more information on licensing, see the Licensing Management Guide.

The following table list the features supported for Insights and Advanced agents:

FeatureInsights AgentAdvanced Agent

Scan data -

Processes, Autroruns, Files, Drivers, Libraries, and System Information

Yes - Windows, Mac, and Linux

Yes - Windows, Mac, and Linux

Tracking data -

Process, File, Registry, Network, and Console


Yes - Windows and Mac

Registry and Console events are applicable only for Windows.

Anomaly detection -

Image Hooks, Kernel Hooks, Registry Discrepancies, and Suspicious Threads

NoYes - Windows
Windows log collectionYes Yes

Threat detection content -

ESA, Application Rules

Analysis of downloaded fileNoYes

File status -

Whitelist, Blacklist, Graylist, and Neutral


(View only)


(View and modify)

File Remediate (Block)NoYes

Process visualization



Live connectYesYes

File reputation service

(Third-party lookup)


Risk score for hosts



You are here
Table of Contents > Agent Modes