|Applies To||RSA Product Set: NetWitness Platform|
RSA Product/Service Type: Endpoint Insights
RSA Version/Condition: 220.127.116.11, 18.104.22.168
|Issue||Expired license alerting messages from advanced agent license shows an alert indicating that a usage spike has triggered the license alarm for the endpoint agents, although the desired use of the agents is for log collection only, or for just the insights agent, with a zero license being the default license in place:|
|Cause||This is caused because of the Netwitness Endpoint default policy, which automatically sets all agents as advanced in 11.3.x and later, as opposed to the insights agent. Since this is controlled by policy instead of the packager, the policy must be changed to reflect the desire to use an insights agent instead of an advanced agent to avoid the licensing exceeded message.|
|Resolution||Navigate to Admin>Endpoint Sources> Policies and under this tab, you have access to the groups and policies that comprise the endpoint agents. Assuming no additional policies exist, modify the Default EDR Policy and under Agent Mode, select the Insights checkbox and then save the edited policy:|
NOTE: If there are no advanced licenses available, every policy that is classed as a Source Type of Agent Endpoint should be set to Insights. If a mix of Advanced and Insights is used to prevent license consumption, this will need to be carefully planned and managed to determine the right mix of agents.