Endpoint Config: Agent Modes

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Apr 22, 2019
Version 3Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.3 and later.

In NetWitness Platform 11.3, the Endpoint agent can operate either in Insights or Advanced mode depending on the policy configuration. For more information on policy configuration, see the NetWitness Endpoint Configuration Guide. You can have both Insights and Advanced agents in a single deployment.

There is no license required for the Insights agent. However, you must procure a Throughput license for an Advanced agent. For more information on licensing, see the Licensing Management Guide.

The following table list the features supported for Insights and Advanced agents:

                                                                         
FeatureInsights AgentAdvanced Agent

Scan data -

Processes, Autroruns, Files, Drivers, Libraries, and System Information

Yes - Windows, Mac, and Linux

Yes - Windows, Mac, and Linux

Tracking data -

Process, File, Registry, Network, and Console

No

Yes - Windows and Mac

Registry and Console events are applicable only for Windows.

Anomaly detection -

Image Hooks, Kernel Hooks, Registry Discrepancies, and Suspicious Threads

NoYes - Windows
Windows log collectionYes Yes

Threat detection content -

ESA, Application Rules

YesYes
Analysis of downloaded fileNoYes

File status -

Whitelist, Blacklist, Graylist, and Neutral

Yes

(View only)

Yes

(View and modify)

File Remediate (Block)NoYes

Process visualization

No

Yes

Live connectYesYes

File reputation service

(Third-party lookup)

YesYes

Risk score for hosts

No

Yes

You are here
Table of Contents > Agent Modes

Attachments

    Outcomes