You can view, edit, filter, and delete policies, as detailed in the following sections:
To view properties of the selected policy:
Go to Admin > Endpoint Sources.
In the left panel, select the Policies tab. The details, such as policy name, applied to groups, policy description, source type, and publication status are displayed. For more details on these columns, see Endpoint Sources - Policies.
Click the row to view details about selected policy in right pane.
The Filters Panel allows you to filter the list of displayed policies, based on the source type. You can filter on any combination of the following:
- Agent Endpoint
- Agent File Logs
- Agent Windows Logs
Additionally, you can filter based on publication status:
- Published: Policies that are published to use.
- Unpublished: Policies that are saved but not published.
- Unpublished Edits: Policies that are previously published and edited later and saved, but not published.
The Filters panel can be hidden or displayed:
- To hide, click the icon at the top-right of the panel.
- To display if hidden, click the icon in the toolbar.
Click Reset Filters to remove the currently applied filtering criteria.
You can edit the settings of the default Agent Endpoint and custom policies. The default Agent Windows Log policy cannot be edited.
To edit a policy:
Go to Admin > Endpoint Sources, and select the Policies tab.
Select a policy and click Edit.
Edit the policy details as required.
- Do one of the following:
- Click Save and Close to save the changes and return to the Policies view. The policy will be listed under the Unpublished Edits category.
- Click Publish Policy to publish the changes.
To delete a policy:
Go to Admin > Endpoint Sources.
Click the Policy tab. The available policies are displayed.
Select one or more policies and click Delete.
The confirmation message is displayed.
- In the Delete Policies dialog, click Delete Policy(ies) to permanently delete the selected policies.
An endpoint can be in more than one group, and can thus have more than one Agent Endpoint, Agent File Logs, or Windows Logs policy applied to it. In this case, there may be conflicting settings that could be applied to the endpoint.
For example, an endpoint that is in two Groups could have two, different File Log policies applied to it. In this case, some of the settings could have conflicting values. The value that is actually applied to the endpoint is determined by the highest-ranked policy that contains a value for that setting.
For example, assume there is an endpoint that has 2 Agent File Log policies applied to it:
- LF Policy One: Log File Type is webgateway, and File Encoding is set to UTF-8
- LF Policy Two: Log File Type is webgateway, and File Encoding is set to Local Encoding
How NetWitness Platform assumes the webgateway logs are encoded is dependent upon which policy is ranked higher:
- If Policy One is ranked higher than Policy Two, NetWitness Platform treats the logs as having UTF‑8 encoding.
- If Policy Two is ranked higher than Policy One, NetWitness Platform treats the logs as having Local Encoding.
For an example using EDR policies, see Simulation Examples, which shows how you can preview the settings that would be applied before actually changing any policy rankings.