Skip to content
  • There are no suggestions because the search field is empty.

Create and Publish Policies

Tags: Configuration, Version 12.2

Create and Publish Policies

You can create a policy and assign it to one or more groups.

To create a Policy

    1. Go to Configure (CONFIGURE) > Policies.
    2. In the policies panel, click Content.
    3. Click Policies
      The available policies are displayed.
    4. Click + Create New to add a new policy.
    5. In the New Policy panel, do the following:
      • Enter a unique policy name.
      • Enter a description for the policy.
    6. Click Next.
    7. In the Available Content, select the content type and click + to add the content to the policy. To add all content based on the resource type, click 122_AddAllServices_1122.png. After you add the content, you can enable subscription (if required) by clicking subscribed toggle. Once the content is subscribed the updates are pushed automatically. To conveniently search the available content, type the initial content text in the Search box available under the Available Content .To conveniently search the selected content, type the initial content text in the Search box available under the Selected Content

      Note: In NetWitness 12.5.1, users can view the order of the selected Application or Network Rules when creating a new policy or editing an existing one. The selected rules are displayed sequentially under the Order column in the Selected Content view under the Define Policy option. Now, the Selected Content can be sorted based on the rule Order.

      1251_Policies_AppRuleOrder_1024.PNG1251_Policies_NetworkRuleOrder_1024.PNG
    8. To filter both available and selected content, do the following:
      • Click the 123_Filter_0523.png icon. The filter panel window is displayed.
        1231_CreatePolicyFilter_0723.png
      • Select the Resource Types from the available drop-down values.
      • Select the Medium from the available drop-down values.
      • Select the Resource Created Date and Resource Modified Date.
      • Select the Source Type as either 'Custom', 'Live' or 'Native Parser'.
      • To reset the fields, click Reset

        Note: Subscription is not allowed for custom content.

        1231_CreatePolicyFilter_0723.png

    9. Note: All the dependencies are added automatically for the selected content. You can click on the content name highlighted in blue and look for details such as content description, content type, resources and dependencies and so on. You can also add and subscribe the resource from the details view.

      1231_DefinePolicy_0723.png

      • To implement the Event Stream Analysis Rule content type, you must have a deployment. 

        1231_ESAPolicy_0624.png

      • All groups that have correlation server service must have a deployment. 

        1251_EditPolicyDeploymentMsg_1124.PNG

      • For any selected policy with an ESA rule, deployment are must be created. 

        1251_EditGroupDeploymentMsg_1124.PNG

        To create and manage deployments, refer to Manage Deployments feature.

    10. In the Group List, click + to assign groups to the policy.

      Note: A group is disabled if another policy of the same type is already assigned to this group.

      122_AssigntoGroup_1122.png

    11. If there are no unassigned groups available, click 122_CreateNewGroup_0123.png to save the policy and redirect you to Create New Group screen. For more information on creating a new group, see Create a Group feature.

    12. Click Save and Publish to save and publish the settings. 

      Note: You can also publish a policy from Policy Details screen. For more information on publishing a policy from Policy Details screen, refer View a Policy feature.

    13. Click Cancel to cancel the publish content dialog.

    14. Click Save and Close to save the settings. 

      Important:  From 12.3 version onwards, contents of services are not wiped out while publishing the first policy.
      - The endpoint risk scoring requires certain application rules. Refer Endpoint Risk Scoring Rules to view the list of these application rules.

      • Column 1:
      • Column 2:


ka0Rm0000004P80IAE,Manage the deploy_admin Account,Manage-the-deploy-admin-Account,,,,Documentation,

The depploy_admin account is used on every NetWitness host, and must be kept in sync between all hosts.The deploy_admin password is centrally managed with the nw-manage script on the NW Server. nw-manage script execution updates the password on all NetWitness component hosts that use the deploy_admin account. The nw-manage script output displays the password update results for each host. If a NetWitness component host is down or unreachable for any reason, the nw-manage script provides an additional option to synchronize the deploy_admin password on the previously unresponsive host with the NW Server when that host becomes available again.

The following procedures describe how to change the deploy_admin password for all hosts in your environment, for hosts in a mixed version environment, and for hosts that are unavailable during the first attempt to change the deploy_admin password.

Change the deploy_admin Account Password

  1. Log in to the NW Server host using SSH or the NwConsole.
  2. Run the following command:
    nw-manage --update-deploy-admin-pw
    A prompt for the new password is displayed.
  3. Enter the new password.

Change the deploy_admin Account Password in a Mixed Version Environment

If you are operating in a mixed version environment (for example, NW Server is on a newer version and the NW component hosts are still on an older version of NetWitness, the nw-manage script prompts you to run the /opt/rsa/saTools/bin/set-deploy-admin-password script on those older component hosts first. After the hosts on the older versions are updated, you rerun the nw-manage script on the NW Server with the --skip-version-checks argument.

  1. On each component host that is on an older version, reset the deploy_admin password by running the following command:
    /opt/rsa/saTools/bin/set-deploy-admin-password
    This resets the deploy_admin password on all the component hosts with the older versions.
  2. Log in to the NW Server host using SSH or the NwConsole and run the following command:
    nw-manage --update-deploy-admin-pw --skip-version-checks
    A prompt for the new password is displayed.
  3. Enter the new password.

Change the deploy_admin Account Password for a Component Host that is Unavailable

If a component host is down or otherwise unreachable the first time you run the nw-manage script, it is identified as skipped in the nw-manage --update-deploy-admin-pw output. When the host is back online, its deploy_admin password must be synchronized with the NW Server.

To synchronize the previously unreachable host with the NW Server:

  1. Log in to the NW Server host using SSH or the NwConsole.
  2. Run the following command:
    nw-manage --sync-deploy-admin-pw -–host-key