NetWitness Platform provides an endpoint detection and response solution that continuously monitors the behavior of all endpoints in the network to provide deep visibility and analysis of executables and processes. It helps to detect new, unknown, and targeted attacks, highlights suspicious activity for investigation, exposes anomalous behaviors, and determines the scope of compromise to help analysts respond to advanced threats faster. During investigation, the analyst can use the visual indication of threat level to assess the risk of endpoints.
As part of this solution, NetWitness Platform introduces Endpoint Log Hybrid that:
- Collects and manages endpoint (host) data from Windows, Mac, and Linux hosts.
- Collect logs from Windows hosts.
- Generates metadata to correlate endpoint data with sessions from other events sources, such as logs and network.
- Perform instant scans for detailed insights of the host behavior at any point in time.
Analyze the scope of the attack across hosts and network through integrated metadata.
- Quickly triage and focus their investigation by managing suspect and legitimate files.
Perform multiple checks of file legitimacy to determine if a file is malicious, including checking file certificates and hashes.
Blacklist malicious files and then block them across all hosts in the network to prevent future execution of this file on any host.
Endpoint Log Hybrid runs an Nginx server (in a reverse proxy mode) that receives data from the Endpoint Agent. The following services run on the Endpoint Log Hybrid:
Endpoint Server: Manages data received through Nginx, stores it in the Mongo database. It parses the events, generates metadata, and forwards it to the Log Decoder through protobuf.
Log Decoder: Captures data from the Endpoint Server and processes the metadata.
Concentrator: Aggregates metadata from the Log Decoder and makes it available for all upstream components like Investigate, Reporting Engine, Respond, and Event Stream Analysis similar to NetWitness Decoder and Concentrator.
Log Collector: Collects logs from all event sources that are supported for the log collection in the NetWitness Platform.
In addition to the above services, the Endpoint Log Hybrid leverages the following services:
- Event Stream Analysis (ESA): Creates alerts from ESA rules for Endpoint data.
- Endpoint Broker: Provides a consolidated view of all Endpoint servers in a multiple Endpoint Log Hybrid deployment.
Endpoint Agent Data Flow
The following figure shows the endpoint data flow from the agent to the NetWitness Platform:
The Hosts and Services Getting Started Guide provides the information you need to understand and install all the NetWitness Platform services.
Basic configuration involves:
- Installing agents on hosts
- Deploying the ESA rules from the Endpoint Rule Bundle
- Creating groups and policies
- Configuring Endpoint metadata forwarding and retention policies
- Defining health and wellness policies to monitor Endpoint Server
You can configure the required settings in the NetWitness Platform user interface under Administration Services Config view (ADMIN > Services > Endpoint Server > Config).