NetWitness Endpoint Quick Start Guide for RSA NetWitness Platform 11.x

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by Susan Ewald on May 30, 2019
Version 6Show Document
  • View in full screen mode

What is NetWitness Endpoint?

RSA NetWitness Endpoint is an endpoint detection and response tool that continuously monitors the behavior of all endpoints in the network to provide deep visibility and analysis of executables and processes. It helps to detect new, unknown, and targeted attacks, highlights suspicious activity for investigation, exposes anomalous behaviors, and determines the scope of compromise to help analysts respond to advanced threats faster.

About this Guide

This guide provides end-to-end instructions to configure NetWitness Platform Endpoint and to use Endpoint features.

RSA NetWitness Platform 11.3 Documentation in RSA Link

NetWitness Platform product documentation is organized along functional lines. If you are looking for a specific guide or version, go to the Version 11.x Master Table of Contents.

Use these links to view the RSA NetWitness Platform 11.3 documentation. Both links provide the same documentation, in these two formats:

Use these links to access documentation that is not related to a particular version of the software:

Getting Started

The following tasks can be performed in any sequence.

DescriptionReferences

Incident Responder Threat Hunter System Administrator     

View information about product updates, improvements, and known issues.

Release Notes

Understand NetWitness Endpoint.

"Getting Started with NetWitness Platform" and "Investigate" in the NetWitness Platform Getting Started Guide

Setup and Installation

Fresh Installation

The following tasks must be performed in the sequence listed.

DescriptionReferences

System Administrator                 

Obtain a license for Endpoint Log Hybrid.

Licensing Management Guide

Review the supported hardware.

"Supported Hardware" in the Physical Host Installation Guide

Review the Endpoint architecture; plan your deployment based on the number of endpoints, distribution, and location of these endpoints; and choose one of the following deployments:

  • Single Endpoint server
  • Multiple Endpoint server

"NetWitness Endpoint Architecture" in the Deployment Guide

Configure the ports on your firewall.

"Network Architecture and Ports" in the Deployment Guide

Install NetWitness Server and other components.

For a single Endpoint server deployment, you need to install - NetWitness Server, Endpoint Log Hybrid, and ESA.

For a multiple Endpoint server, in addition to the above components, you need to install - Additional Endpoint Log Hybrid, NetWitness Broker along with Endpoint Broker installed on it.

- Physical Host Installation Guide for instructions on how to set up physical hosts

- Virtual Host Installation Guide for instructions on how to set up virtual hosts

Install Endpoint Log Hybrid.

"RSA NetWitness Endpoint" in the Physical Host Installation Guide
Review the services installed.Hosts and Services Getting Started Guide

Note: Review the default policies and modify them accordingly.

Install Endpoint agent on hosts.

"Endpoint Sources" topic in the Endpoint Configuration Guide

NetWitness Endpoint Agent Installation Guide

Upgrade

The following tasks must be performed in the sequence listed.

DescriptionReferences

System Administrator     

Upgrade from 10.6.5 to 11.3 -

After the NetWitness Platform 11.3 upgrade, install the Endpoint Log Hybrid and other Endpoint components.

- Physical Host Upgrade Guide for instructions on upgrade of physical hosts

- Virtual Host Upgrade Guide for instructions on upgrade of virtual hosts

Update from 11.x to 11.3 -

Update the Endpoint server and agents.

Update Guide

Upgrade Endpoint Agents from 11.1.x and 11.2.x to 11.3.

"Upgrade Agents" in the Endpoint Agent Installation Guide

Migrate NetWitness Endpoint 4.4.0.x to NetWitness Platform.NetWitness Endpoint 4.4.0.x to RSA NetWitness Platform 11.3 Migration Guide

Configuration

The following tasks can be performed in any sequence.

DescriptionReferences

System Administrator     

Understand NetWitness Endpoint and high-level tasks required for configuration."NetWitness Endpoint Overview and Endpoint Server Configuration" in the Endpoint Configuration Guide
Review Groups and Policies for agents."Endpoint Sources" topic in the Endpoint Configuration Guide

Set up the RSA Live account and verify if the ESA content and Application Rules for Endpoint are available.

Note: The file reputation service is automatically enabled on RSA Live.

Live Services Management Guide
Create role-based access control (RBAC)."Role Permissions" in the System Security and User Management Guide

Configure data retention policy.

"Configure Data Retention" in the Endpoint Configuration Guide

Manage inactive agents."Manage Inactive Agents" in the Endpoint Configuration Guide

Investigation

The following tasks can be performed in any sequence.

DescriptionReferences

Context Expert Incident Responder Threat Hunter     

Understand how investigation works.

"How NetWitness Investigate Works" in the NetWitness Investigate User Guide

Configure investigate views."Configuring NetWitness Investigate Views and Preferences" in the

NetWitness Investigate User Guide

Begin an investigation in different Investigate views."Beginning an Investigation" in the

NetWitness Investigate User Guide

Review best practices for files and hosts and set up your Investigate view for investigation.

"Best Practices" under Investigating Files and Investigating Hosts in theNetWitness Endpoint User Guide

Investigate files.

"Investigating Files" in the NetWitness Endpoint User Guide

Investigate hosts."Investigating Hosts" in the NetWitness Endpoint User Guide

Investigate process.

"Investigating Hosts" in the NetWitness Endpoint User Guide

Analyze downloaded files."Analyzing Downloaded Files" in the NetWitness Endpoint User Guide

Change file status and remediate.

"Changing File Status or Remediate" in the NetWitness Endpoint User Guide

Analyze events.

"Analyzing Events" in the NetWitness Endpoint User Guide

"Analyzing Raw Data and Metadata in the Event Analysis View", "Investigating Metadata in the Navigate View", and "Examining Raw Events in the Events View" in the NetWitness Investigate User Guide

Respond and Reporting

The following tasks can be performed in any sequence.

DescriptionReferences

Incident Responder Threat Hunter     

Respond to Endpoint incidents.NetWitness Respond User Guide
View reports related to Endpoint data.Reporting User Guide

Maintenance

The following tasks can be performed in any sequence.

DescriptionReferences

System Administrator                  

Monitor health and wellness.System Maintenance Guide

Integration (for Legacy NetWitness Endpoint)

The following tasks can be performed in any sequence.

DescriptionReferences
System Administrator              
Configure NetWitness Endpoint 4.4.x metadata with NetWitness Platform."Integrating NetWitness Endpoint 4.4.0.2 or Later with NetWitness Platform" topic in the Endpoint Configuration Guide

Configure integrated operation of NetWitness Endpoint 4.4.x with NetWitness Platform.

RSA NetWitness Endpoint Integration Guide

 

You are here

QuickStart

Attachments

    Outcomes