Endpoint Config: Policies Reference

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on May 17, 2019
Version 4Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.3 and later.

The ADMIN > Endpoint Sources view contains two tabs: Groups and Policies.

Workflow

Creating and managing Endpoint policies

What do you want to do?

                                                          
User RoleI want to ...Show me how
Administrator

create new groups

Create a Group

Administratoredit groups

Edit a Group

Administratoredit ranking

Change Policy Ordering for Groups

Administratordelete groups

Delete a Group

Administrator

view default policies*

Default Agent Endpoint (EDR) Policy
Administrator

create an EDR policy*

Create an EDR Policy
Administrator

create a Windows Log policy*

Create a Windows Log Policy
Administrator

edit policies*

Edit a Policy
Administrator

delete policies*

Delete a Policy

*You can perform this task in the current view.

Related Topics

Quick Look

Below is an example of the Policies tab:

Policy

                     
1

Actions in the toolbar:

  • Create New: Lets you create a new policy. For more information, see Managing Policies.
  • Publish: Publishes the selected policy.
  • Edit: Lets you edit the details of an existing policy. For more information, see Edit a Policy.
  • Delete: Deletes the selected policies permanently. For more information, see Delete a Policy.
2

Filters: You can filter groups based on Source Type and Publication Status. To hide, click the Close icon at the top-right of the panel. To display if hidden, click the Filter icon in the toolbar.

Reset: Removes the currently applied filter criteria.

For more information, see Filter Policies.

3

Policy View. Displays the policy details:

  • Policy name: Name of the policy.
  • Applied to groups: Lists the group to which this policy is applied.
  • Policy description: Description of the policy.
  • Source type: Defines the source type: Agent Endpoint or Agent Windows Logs.
  • Publication Status: Status of the policy: Published or Unpublished.

Sort Columns. If you mouse over a column header, a sort icon is displayed: . Click the icon to sort by the selected column.

4

Properties Panel. Displays the properties of the selected policy.

Note: To view the Properties panel for a policy, click the Policy Name.

Create Policy

Below is an example of the Create Policy dialog. The table describes the information and options in the Create Policy dialog.

Identify policy

                       
FieldDescription

Source Type

Displays the source type for the policy. Available options are Agent Endpoint and Agent Windows Logs.

Policy NameName of the policy. The name should be unique.

Policy Description

Description of the policy. Description should not exceed 8000 characters.

Define Policy Panel for Agent Endpoint Policy

Below is an example of Define policy panel. The table describes the information and options for Agent Endpoint policy:

Define EDR policy

                                                                                          
SettingsDescription

Scan Schedule

Run Scheduled Scan

Run a scheduled scan if you want to receive regular snapshots from a host. Scan snapshots provide detailed information about processes and files loaded on the memory. By default, this option is disabled.
You can also run a manual scan from the INVESTIGATE > Hosts view.

Note: The following scan schedule options are available only when the scan schedule is enabled.
The values entered are specific to the agent time zone.

Effective Date

Date when the policy takes effect. If you do not want this policy to take effect as soon as it is applied to a group and published, set an effective date that is in the future. By default, this is set to the current date.

Scan Frequency

Determines how often the scheduled scan runs on a host. By default, this is set to every 1 week. Every network is different and the frequency should balance the needs of the analysts for current data, availability to review the data, and how systems deal with the load of the generated data.

Select Days or Weeks:

  • Days: Select the number of days of the scan frequency. You can set a schedule to scan every n days, where n is 1, 2, 3, 4, 5, 6, 10, 15, or 20. For example, to scan every third day, select 3.
  • Weeks: Select after how many weeks the policy scan should be initiated and on which day of the week the policy scan should initiate. For example, to scan every other Wednesday, choose 2 and W.

Start Time

Time when the scheduled scan starts to run on a host. By default, this is set to 9:00. This is the local host time, meaning that scans across a global network will not run all at once. Note that the time is in 24 hour format. To set a time of 7:30 PM, select 19:30.

CPU Maximum

Amount of CPU the agent can use to run scheduled scans on physical hosts. By default, the value is set at 25%. Increasing the CPU maximum increases the speed of scan snapshot retrieval.

Drag the slider to specify the maximum CPU usage by the created policy. Minimum value is 5%. Use the slider to select the maximum CPU processing power to use for the scan. Note that the higher the percentage, the less CPU is available for other tasks on the host.

Virtual Machine Maximum

Amount of CPU the agent can use to run scheduled scans on virtual machines. By default, the value is set at 10%. Increasing the virtual machine maximum value increases the speed of scan snapshot retrieval.

Drag the slider to specify the maximum Virtual Machine usage by the policy. Minimum value is 5%. Use the slider to select the maximum CPU processing power to use for the scan. Keep in mind that the higher the percentage, the less CPU is available for other tasks running on the virtual machine.

Agent Mode

Monitoring mode

Allows you to specify whether an agent should operate in Insights (free) or Advanced mode (license). By default, it is set to Advanced.

Scan Settings

Scan Master Boot Record

Includes Master Boot Record (MBR) details in scheduled scans. By default, this option is disabled. This can help to identify when an operating system boot sequence is compromised. However, not all modifications to the MBR are malicious, as they could be made to provide encryption or enforce licensing of certain legitimate software.

Auto Scan New Systems When Added

Automatically scans when a new host is added. By default, this option is disabled. If this option is disabled, no snapshot data is displayed in the INVESTIGATE > Hosts view until a manual or scheduled scan is run on these hosts. Existing hosts will not be affected.

Note: Enabling this option on a new deployment when this policy is applied to a large number of hosts may result in a large number of simultaneous scans that cause performance degradation.

Response Action Settings

Blocking

Allows an analyst to prevent the execution of a malicious file on any host running an Advanced mode agent. By default, this option is disabled. File blocking will not be enforced if it is disabled by policy, which might be desirable to ensure that there are no performance side effects on systems where CPU or IO performance is critical.

Note: Blocking is not supported for an Insights agent.

Endpoint Server Setting

Endpoint Server

Displays all available Endpoint servers in the deployed.

Note: If you do not select an Endpoint Server, the agent uses the default Endpoint Server that is configured during packager generation.

Endpoint Server Forwarder(Optional)

The optional server alias allows you to enter an alternative hostname or IP address on which the server can be reached in the case that agents need to go through a NAT or similar in order to reach the Endpoint Server.

HTTPS Port

Port number used for HTTPS communication. By default, the port is set to 443.

If you want to change this port, make sure that it matches the server configuration. If you enter the wrong port, the agents can no longer communicate with the Endpoint server and the system will be non-functional.

HTTPS Beacon Interval

Determines how often an agent can communicate with the Endpoint server over HTTPS. By default, the value is set to 15 minutes. The default method of beaconing is UDP. Beaconing is used as a method of keep-alive to know if a host is online and to allow hosts to respond faster than the fallback HTTPS beacon time.

UDP Port

Port number used for UDP communication. By default, the port is set to 444.

If you want to change this port, make sure that it matches the server configuration. Entering the wrong port results in loss of functionality and effects performance.

UDP Beacon Interval

Determines how often an agent can communicate with the Endpoint server over UDP. By default, the value is set to 30 seconds.

Define Policy Panel for Windows Logs Policy

The table describes the information and options for Agent Windows Logs policy:

Define Windows Log policy

                                   
SettingsDescription

Windows Log Collection

If enabled, logs from the Windows hosts are collected and forwarded to the NetWitness Platform. By default, this option is disabled.

Send Test LogIf enabled, a sample log is sent to the configured server when the policy is loaded to test connectivity. This allows to test the configuration before standard logs are available. By default, this option is disabled.
Primary Log Decoder / Log collectorPrimary NetWitness Platform Log Decoder or Log Collector to which the collected Windows logs are forwarded.
(Optional) Secondary Log Decoder / Log collector

If the primary Log Decoder or Log Collector is not reachable, the collected Windows logs are forwarded to the secondary Log Decoder or Log Collector.

Note: NetWitness Platform cannot detect failures when UDP protocol is used.

ProtocolSelect whether TLS, TCP, or UDP transport protocol is used to forward the collected Windows logs to the NetWitness Platform servers. By default, the protocol is TCP.

Channel Filters

Configure which Windows Log events to collect by selecting a channel, filter condition, and the relevant event IDs. You can either select common channels, such as Security or System from the drop-down list, or create custom channels by entering the channel name. By default, all events are collected from a selected channel.

To collect a subset of events from that channel replace 'ALL' with the relevant Event IDs. Select INCLUDE if only events with the listed Event IDs should be collected or select EXCLUDE to collect all events except for these events.

Next Topic:Troubleshooting
You are here
Table of Contents > Endpoint References > Endpoint Sources - Policies

Attachments

    Outcomes