Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Endpoint Config: Manage Policies

Document created by RSA Information Design and Development Employee on Apr 11, 2019Last modified by RSA Information Design and Development Employee on Nov 2, 2020
Version 20Show Document
  • View in full screen mode

Note: The information in this topic applies to RSA NetWitness Platform Version 11.3 and later.

You can view, edit, filter, and delete policies, as detailed in the following sections:

View Policy Details

To view properties of the selected policy:

  1. Go to (Admin) > Endpoint Sources.

  2. In the left panel, select the Policies tab. The details, such as policy name, applied to groups, policy description, source type, and publication status are displayed. For more details on these columns, see Endpoint Sources - Policies.

  3. Click the row to view details about selected policy in right pane.

    Policy Properties

Filter Policies

The Filters Panel allows you to filter the list of displayed policies, based on the source type. You can filter on any combination of the following:

  • Agent Endpoint
  • Agent File Logs
  • Agent Windows Logs

Additionally, you can filter based on publication status:

  • Published: Policies that are published to use.
  • Unpublished: Policies that are saved but not published.
  • Unpublished Edits: Policies that are previously published and edited later and saved, but not published.

Filter policies

The Filters panel can be hidden or displayed:

  • To hide, click the Close icon at the top-right of the panel.
  • To display if hidden, click the Filter icon in the toolbar.

Click Reset Filters to remove the currently applied filtering criteria.

Edit a Policy

You can edit the settings of the default Agent Endpoint and custom policies. The default Agent Windows Log policy cannot be edited.

Note: For the default EDR policy, you cannot edit the source type, policy name, and policy description. However, you can edit the details in the Define Policy panel.

To edit a policy:

  1. Go to (Admin) > Endpoint Sources, and select the Policies tab.

  2. Select a policy and click Edit.

    Edit a policy

  3. Edit the policy details as required.

  4. Do one of the following:
    • Click Save and Close to save the changes and return to the Policies view. The policy will be listed under the Unpublished Edits category.
    • Click Publish Policy to publish the changes.

Delete a Policy

To delete a policy:

  1. Go to (Admin) > Endpoint Sources.

  2. Click the Policy tab. The available policies are displayed.

    Edit a policy

  3. Select one or more policies and click Delete.

    The confirmation message is displayed.

  4. In the Delete Policies dialog, click Delete Policy(ies) to permanently delete the selected policies.

Conflict Resolution

An endpoint can be in more than one group, and can thus have more than one Agent Endpoint, Agent File Logs, or Windows Logs policy applied to it. In this case, there may be conflicting settings that could be applied to the endpoint.

For example, an endpoint that is in two Groups could have two, different File Log policies applied to it. In this case, some of the settings could have conflicting values. The value that is actually applied to the endpoint is determined by the highest-ranked policy that contains a value for that setting.

For example, assume there is an endpoint that has 2 Agent File Log policies applied to it:

  • LF Policy One: Log File Type is webgateway, and File Encoding is set to UTF-8
  • LF Policy Two: Log File Type is webgateway, and File Encoding is set to Local Encoding

How NetWitness Platform assumes the webgateway logs are encoded is dependent upon which policy is ranked higher:

  • If Policy One is ranked higher than Policy Two, NetWitness Platform treats the logs as having UTF‑8 encoding.
  • If Policy Two is ranked higher than Policy One, NetWitness Platform treats the logs as having Local Encoding.

For an example using EDR policies, see Simulation Examples, which shows how you can preview the settings that would be applied before actually changing any policy rankings.

Previous Topic:Manage Groups
You are here
Table of Contents > Manage Policies