This topic provides the high-level tasks required to configure the Endpoint Log Hybrid.
|Install the Endpoint Log Hybrid||See the Physical Host Installation Guide and Virtual Host Setup Guide.|
|Deploy Application and ESA Rules||See Deploying Endpoint Application Rules and ESA Correlation Rules.|
|Configure Metadata Forwarding|| |
Similar to logs and packets, you can view Endpoint metadata in the Navigate and Event Analysis view. You can also generate reports and alerts for the Endpoint data. By default, the Endpoint Meta option is disabled. The agent must be installed with the Endpoint Meta option enabled to forward metadata. For more information, see Configure Metadata Forwarding.
|Install Agents on Hosts|| |
The Endpoint agent installer is generated using the Agent Packager tab under ADMIN > Services > Config > Endpoint Server from the NetWitness Platform user interface. The Packager is a zip file that contains executables and configuration files for generating agent installer for Linux, Mac, and Windows operating systems. You can install only one version of the agent on a host. If you have a previous version of an agent installed (for example, 4.4), uninstall this agent to install the 11.3 agent.
After the agent is installed, it appears on the Investigate > Hosts view. By default, the Endpoint data is posted for the first time. To collect subsequent Endpoint data, you have to either schedule a scan or perform ad hoc scan. It retrieves data, such as drivers, processes, DLLs, files (executables), services, autoruns, security information, anomalies, system configurations, and scripts found on the host.
|Install and Configure the Relay Server||See (Optional) Installing and Configuring Relay Server.|
|Manage Groups and Policies||To efficiently manage and update endpoint agent configurations, you can group the agents, and manage their behavior using policies. For more information, see Endpoint Sources.|
Enable Reputation Status
Reputation Status is enabled by default in an NetWitness Platform 11.3 deployment and displays information about the file. For troubleshooting, see the Live Services Guide.
Risk Score is calculated and obtained from NetWitness Respond for hosts and files. For more information, see the NetWitness Respond Configuration Guide.
|Configure Data Retention Policy|| |
Define data retention policies to optimally store and manage the Endpoint data based on the age of the Endpoint data or the storage size. By default, 30 days of agent data is retained. For more information, see Configuring Data Retention Policy.
|Manage Inactive Agents|| |
By default, agents (including all the collected Endpoint data) that have not communicated with the Endpoint Server for 90 days will be automatically deleted. For more information, see Managing Inactive Agents.
Investigate Endpoint data
You can investigate the Endpoint data in the Investigate > Hosts and Investigate > Files views. For more information, see the NetWitness Endpoint User Guide.