About NetWitness Endpoint
NetWitness Platform provides an endpoint detection and response solution that continuously monitors the behavior of all endpoints in and outside the network to provide deep visibility and analysis of executables and processes. It helps to detect new, unknown, and targeted attacks, highlights suspicious activity for investigation, exposes anomalous behaviors, and determines the scope of compromise to help analysts respond to advanced threats faster. During investigation, the analyst can use the visual indication of threat level to assess the risk of endpoints.
As part of this solution, NetWitness Platform introduces Endpoint Log Hybrid that:
- Collects and manages endpoint (host) data from Windows, Mac, and Linux hosts.
- Collect log files and Windows logs from Windows hosts.
- Generates metadata to correlate endpoint data with sessions from other events sources, such as logs and network.
- Perform instant scans for detailed insights of the host behavior at any point in time.
Analyze the scope of the attack across hosts and network through integrated metadata.
- Quickly triage and focus their investigation by managing suspect and legitimate files.
Perform multiple checks of file legitimacy to determine if a file is malicious, including checking file certificates and hashes.
Blacklist malicious files and then block them across all hosts in the network to prevent future execution of this file on any host.
- Download Master File Table (MFT), system dump, and process dump for forensic investigation.
- Isolate host from the network to safely investigate possible threats within the host.
Endpoint Log Hybrid receives data from the Endpoint Agents. The following services run on the Endpoint Log Hybrid:
Endpoint Server: Manages data received and stores it in a database. It parses the events, generates metadata, and forwards it to the Log Decoder through protobuf.
If you are only using NW Platform for collecting and analyzing logs, you can co-locate your Endpoint Log Hybrid Server on the same physical hardware as your Log Decoder. However, please note the following guidelines for this configuration:
- RSA recommends a maximum number of Endpoint Agents of 10,000 (ten thousand).
- RSA recommends a maximum scan frequency of Weekly.
If you exceed either of these guidelines, the amount of disk space usage and CPU might become so high as to create alarms for your Endpoint Server in Health and Wellness. If you notice this, and are running both log collection and EDR scans, you can use Throttling to control the amount of data coming into the Log Decoder.
If that doesn't help, RSA recommends that you move your Endpoint Log Hybrid Server onto separate hardware from that used by your Log Decoder.
Log Decoder: Captures data from the Endpoint Server and processes the metadata.
Concentrator: Aggregates metadata from the Log Decoder and makes it available for all upstream components like Investigate, Reporting Engine, Respond, and Event Stream Analysis similar to NetWitness Decoder and Concentrator.
Log Collector: Collects logs from all event sources that are supported for the log collection in the NetWitness Platform.
In addition to the above services, the Endpoint Log Hybrid leverages the following services:
- Event Stream Analysis (ESA): Creates alerts from ESA rules for Endpoint data.
- Endpoint Broker: Provides a consolidated view of all Endpoint servers in a multiple Endpoint Log Hybrid deployment.
Endpoint Agent Data Flow
The following figure shows the endpoint data flow from the agent to the NetWitness Platform:
The Hosts and Services Getting Started Guide provides the information you need to understand and install all the NetWitness Platform services.
Basic configuration involves:
- Installing agents on hosts
- Deploying the ESA rules from the Endpoint Rule Bundle
- Creating groups and policies
- Configuring Endpoint metadata forwarding and retention policies
- Defining health and wellness policies to monitor Endpoint Server
- Installing and configuring Relay Server
You can configure the required settings in the NetWitness Platform user interface under Administration Services Config view (ADMIN > Services > Endpoint Server > Config).