RSA NetWitness Endpoint collects endpoint data from Windows, Mac, or Linux hosts, which can be used to investigate, report, alert, and perform analysis. Analysts can perform instant scans for detailed insights of the host behavior at any point in time. In addition, Endpoint can collect logs from Windows hosts. The NetWitness Endpoint Insights introduces two host types - Endpoint Hybrid and Endpoint Log Hybrid. You can only install one instance of the host type in your deployment. This means, you can deploy either one instance of Endpoint Hybrid or Endpoint Log Hybrid. You cannot change the type once deployed.
Endpoint Hybrid - collects and manages endpoint (host) data. It generates metadata for investigation, analysis, alerting, and reporting. It is configured and managed similar to a Log or Packet Decoder. The Endpoint Hybrid runs an Nginx server (in a reverse proxy mode) that receives data from the Endpoint agent. The following services run on the Endpoint Hybrid:
- Endpoint Server - Manages data received through Nginx, stores it in the Mongo database, and sends metadata to the Log Decoder.
- Log Decoder - Captures data from the Endpoint Server and processes the metadata.
- Concentrator - Aggregates metadata from the Log Decoder and makes it available for all upstream components like Investigate, Reporting Engine, and Event Stream Analysis similar to other NetWitness Decoder and Concentrator setup.
Endpoint Log Hybrid - captures both endpoint and log data. In addition to the services running on the Endpoint Hybrid, a Log Collector service runs on the Endpoint Log Hybrid. It collects logs from Windows hosts, and all other event sources that are supported for the Log collection in the NetWitness Suite.
The Hosts and Services Getting Started Guide provides the information you need to understand and install all the NetWitness Suite services.
Basic configuration involves:
- Installing agents on hosts
- Configuring Endpoint meta forwarding, schedule scan, and retention policies
- Defining health and wellness policies to monitor Endpoint Server.
You can configure the required settings using the options in the NetWitness Suite user interface under Administration Services Config view (ADMIN > Services > Endpoint Server > Config).