The Endpoint agents deployed in your environment may be large in number and geographically distributed. To efficiently manage and update configurations automatically, agents can be organized into smaller subsets called Groups.
Groups can be created based on IP address (IPv4 and IPv6), host names, operating system type, and operating system description. You can create groups based on your requirements. For example, you can group all agents running on Windows 2016 Server and IP ranging from 10.40.10.1 to 10.40.10.200. For more information on creating groups, see Creating Groups and Policies.
To manage the behavior of agents in a group, you can apply a set of rules called Policies. The RSA NetWitness Platform supports two types of policies for endpoints: Agent Endpoint and Agent Windows Logs policies. The following default policies are available on installation.
You can either assign the default policies to a group, modify the default EDR policy, or create custom policies based on your organization requirements.
You can do the following through a policy:
- Define the agent mode - Insights or Advanced
- Configure scan schedule and settings
- Configure endpoint settings, such as which Endpoint server the agents should communicate, port details, and beacon intervals
- Configure response actions such as blocking
- Configure Windows Log collection
When a group is created, a rank is associated with every group based on the creation order. If an agent belongs to multiple groups, to handle conflicting configurations, you can reorder the groups to change the ranking, and the policy associated with the highest ranked group takes precedence.
A Server group contains 100 hosts with a default Agent Endpoint policy. Amongst these, if 20 hosts require further investigations, analyst can:
- Create a temporary group with a static list of these 20 hosts.
- Create or apply any policy to this group that will not impact any other hosts.
Edit the ranking for the new group, moving to the top of the Ranking list (making sure it is above the existing Server group).
- After investigation is done, delete this group. The hosts are revalidated and assigned to the appropriate group based on the ranking.
Each agent is a part of a unique group that is associated with a policy, where each policy has all settings S1, S2, S3, S4, and S5 defined. For example, Agent 2 is a part of the group Hardware, where all settings in the policy Hardware are applicable.
In the policy Hardware, S4 and S5 settings are not defined, and hence the agent 2 inherits settings S4 and S5 from the default policy.
- Agent 2 is a part of the highest ranked group Hardware, and with the policy Hardware. The agent 2 inherits settings S3, S4, and S5 from the default policy as they are not defined in the policy Hardware.
- Agent 3 is a part of Hardware, Software, and Engineering groups, and with the policy Software. The agent considers the settings S4 and S5 from the policy Software, and the remaining undefined settings are inherited as follows:
- S1 and S2 from the policy Hardware, which is associated with the highest ranked group.
- S3 from the policy Engineering, which is the next ranked group.
- Agent 4 is a part of Hardware, Software, and Engineering groups, and with the policy Engineering.
Though settings S1 and S2 are defined in policy Engineering, the agent 4 considers the settings S1 and S2 from the policy Hardware as it is associated with the highest ranked group.
- S4 and S5 from the policy Software, which is the associated with the next highest ranked group.
- S3 from the policy Engineering.
The following are some of the key points:
- If an agent is not assigned to any group, default policies are applied.
- A policy can be assigned to multiple groups. However, a group can only have one policy of each type (Agent Endpoint and Agent Windows Logs).
- An agent can belong to multiple groups. The policy is derived based on the ranking of the group as shown in the above example (case 3).
If all settings are defined in a single policy, and it is the highest ranked policy for an agent, no policy settings from other ranked groups are inherited (case 1).
If there are any undefined settings in the policy, the settings from the default policy is considered as shown in the example above (case 2 and 3).
If an agent falls into more than one group, its complete set of policy attributes is determined as follows:
- It takes all settings from the highest ranked policy that applies.
- Any settings that are not set in the highest ranked policy are taken from the next highest ranked policy that applies.
- If there are still unset attributes , they are taken from the default policy.
- If there are any conflicts, the higher ranked policy wins.
Assume the following:
- Agent A belongs to below two groups, Production Servers and All Windows Hosts.
The Production Servers group has the Schedule scan set and no blocking policy assigned, and it has the following settings:
- Schedule Scan : Enabled
- Effective Date: 2019-03-08
- Start Time: 09:00
- Scan Frequency: Every 1 day(s)
- CPU Maximum: 45 %
- Virtual Machine Maximum: 20 %
- Blocking: Disabled
The All Windows Hosts group has the EDR for All Windows policy applied, which has the following settings:
- Scan Master Boot Record: Disabled
- Blocking: Enabled
- The Production Servers group is ranked higher than the All Windows Hosts group for EDR policies. Keep in mind that ranking only applies to policies of the same source type: that is, all EDR policies are ranked, and all Windows Logs policies are ranked separately.
Agent A gets its final policy configuration as per the ranking of the groups (and associated policies) to which it belongs:
- The agent uses the schedule set in the Schedule scan set and no blocking policy.
- Scan Master Boot Record is disabled, because that is set in the EDR for All Windows policy.
- Blocking is disabled: since there is a conflict, the value in the higher ranked policy is used.
- All other attributes are set based on values in the Default EDR policy.
- Note that if you wanted Blocking to be enabled, you could change the group ranking so that All Windows Hosts is higher than Production Servers: in this case, Production Servers would win the conflict, and Blocking would be enabled for Agent A.
When an agent is installed, it operates in an Insights mode until a policy is assigned. The following are the default EDR policy settings:
The following are the default Windows Log policy settings: