Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Endpoint Config: Overview

Document created by RSA Information Design and Development Employee on Mar 16, 2018Last modified by RSA Information Design and Development Employee on Jul 16, 2020
Version 23Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness Platform Version 11.1 and later.

About NetWitness Endpoint

NetWitness Platform provides an endpoint detection and response solution that continuously monitors the behavior of all endpoints in and outside the network to provide deep visibility and analysis of executables and processes. It helps to detect new, unknown, and targeted attacks, highlights suspicious activity for investigation, exposes anomalous behaviors, and determines the scope of compromise to help analysts respond to advanced threats faster. During investigation, the analyst can use the visual indication of threat level to assess the risk of endpoints.

As part of this solution, NetWitness Platform introduces Endpoint Log Hybrid that:

  • Collects and manages endpoint (host) data from Windows, Mac, and Linux hosts.
  • Collect log files and Windows logs from Windows hosts.
  • Generates metadata to correlate endpoint data with sessions from other events sources, such as logs and network.

Analysts can:

  • Perform instant scans for detailed insights of the host behavior at any point in time.
  • Analyze the scope of the attack across hosts and network through integrated metadata.

  • Quickly triage and focus their investigation by managing suspect and legitimate files.
  • Perform multiple checks of file legitimacy to determine if a file is malicious, including checking file certificates and hashes.

  • Blacklist malicious files and then block them across all hosts in the network to prevent future execution of this file on any host.

  • Download Master File Table (MFT), system dump, and process dump for forensic investigation.
  • Isolate host from the network to safely investigate possible threats within the host.

Endpoint Log Hybrid receives data from the Endpoint Agents. The following services run on the Endpoint Log Hybrid:

  • Endpoint Server: Manages data received and stores it in a database. It parses the events, generates metadata, and forwards it to the Log Decoder through protobuf.

    Note: You may need to install your Endpoint Server on separate hardware from your Log Decoder.

    If you are only using NW Platform for collecting and analyzing logs, you can co-locate your Endpoint Log Hybrid Server on the same physical hardware as your Log Decoder. However, please note the following guidelines for this configuration:

    • RSA recommends a maximum number of Endpoint Agents of 10,000 (ten thousand).
    • RSA recommends a maximum scan frequency of Weekly.

    If you exceed either of these guidelines, the amount of disk space usage and CPU might become so high as to create alarms for your Endpoint Server in Health and Wellness. If you notice this, and are running both log collection and EDR scans, you can use Throttling to control the amount of data coming into the Log Decoder.

    If that doesn't help, RSA recommends that you move your Endpoint Log Hybrid Server onto separate hardware from that used by your Log Decoder.

  • Log Decoder: Captures data from the Endpoint Server and processes the metadata.

  • Concentrator: Aggregates metadata from the Log Decoder and makes it available for all upstream components like Investigate, Reporting Engine, Respond, and Event Stream Analysis similar to NetWitness Decoder and Concentrator.

  • Log Collector: Collects logs from all event sources that are supported for the log collection in the NetWitness Platform.

In addition to the above services, the Endpoint Log Hybrid leverages the following services:

  • Event Stream Analysis (ESA): Creates alerts from ESA rules for Endpoint data.
  • Endpoint Broker: Provides a consolidated view of all Endpoint servers in a multiple Endpoint Log Hybrid deployment.

Endpoint Agent Data Flow

The following figure shows the endpoint data flow from the agent to the NetWitness Platform:

Endpoint Agent Data Flow

The Hosts and Services Getting Started Guide provides the information you need to understand and install all the NetWitness Platform services.

Basic configuration involves:

  • Installing agents on hosts
  • Deploying the ESA rules from the Endpoint Rule Bundle
  • Creating groups and policies
  • Configuring Endpoint metadata forwarding and retention policies
  • Defining health and wellness policies to monitor Endpoint Server
  • Installing and configuring Relay Server

You can configure the required settings in the NetWitness Platform user interface under Administration Services Config view (ADMIN > Services > Endpoint Server > Config).

Explore view

Next Topic:Agent Modes
You are here
Table of Contents > NetWitness Endpoint Overview

Attachments

    Outcomes