Endpoint Sources - Policies

create new groups

Create a Group

Edit a Group

Managing Groups

Delete a Group

view default policies*

create an EDR policy*

create a Windows Log policy*

edit policies*

delete policies*

Toolbar

• Create New: Lets you create a new policy. For more information, see Managing Policies.
• Publish: Publishes the selected policy.
• Edit: Lets you edit the details of an existing policy. For more information, see Edit a Policy.
• Delete: Deletes the selected policies permanently. For more information, see Delete a Policy.

Filter Panel

• Filters: You can filter policies based on Policy Type and Publication Status.

  To hide, click the icon at the top-right of the panel. To display if hidden, click the icon in the toolbar.

• Reset: Removes the currently applied filter criteria.

For more information, see Filter Policies.

3

Policies List Panel

Policy View. Displays the policy details:

• Policy name: Name of the policy.
• Applied to groups: Lists the group to which this policy is applied.
• Policy description: Displays the first portion of the description.
• Policy type: Displays the policy type: Agent Endpoint, Agent File Logs, or Agent Windows Logs.
• Publication Status: Status of the policy: Published or Unpublished.

You can also sort on any column. If you mouse over a column header, a sort icon is displayed: . Click the icon to sort by the selected column.

4

Policy Details Panel

Displays the properties of the selected policy.

Note: To view the Properties panel for a policy, click the Policy Name.

Policy Type

Displays the type for the policy. Available options are Agent Endpoint, Agent File Logs, and Agent Windows Logs.

Policy Name

Name of the policy. The name should be unique.

Policy Description

Description of the policy. Description should not exceed 8000 characters.

Collect File Logs

If enabled, the log file collection capability of the agent is activated. Logs are collected and forwarded to the NetWitness as they are generated. If disabled, no defined event source logs are collected.

Note: This option must be enabled for any file event sources to be collected.

Send Test Log

If enabled, a sample log is sent to the configured server when the policy is loaded to test connectivity. This allows to test the configuration before standard logs are available. By default, this option is disabled.

Primary Log Decoder / Log Collector

The primary Log Decoder or Log Collector to which the collected file logs will be forwarded.

Secondary Log Decoder / Log Collector

If the primary Log Decoder or Log Collector is not reachable, collected file logs are forwarded to the secondary Log Decoder or Log Collector.

Note: The NetWitness cannot detect failures when UDP protocol is used.

Protocol

Select the transport protocol that is used to forward the collected file logs to the NetWitness servers. The following options are available:

• SSL: Recommended, but also the most resource-intensive option.
• TCP: Sends the logs in clear text over a reliable TCP connection. May be acceptable within a corporate network.
• UDP: Sends the log in clear text over a non-guaranteed UDP connection. This is the least resource intensive option.

Note: Resource intensity is dependent upon the Log Decoder, since there is only a single connection per agent.

Advanced Configuration

Throttle Network Bandwidth

Use this setting to limit network bandwidth that the Agent uses to connect to NetWitness. This setting is disabled by default: click Enabled to turn it on, and then enter a value in kilobits per second.If not set, Agent does not do any network throttling.If set to a positive value x, agent limits network bandwidth to x kbps.

Advanced Setting

Caution: It is strongly recommended not to use this setting unless advised to do so by NetWitness.

Log File Type

From the drop-down menu, select the type of event source to be monitored.

The list of available event source is based on all the event source types defined on your NetWitness. You can add event source types using the Live Services module. For details, see "Find and Deploy Live Resources" in the Live Services Management Guide.

Collect Logs

If enabled, log files for this file type instance are collected and forwarded to the NetWitness. File collection must be enabled on each source applying this policy for these specific logs to be collected.

On First Connect

Determines whether the NetWitness Agent collects all logs or only newly created logs located in the specified paths upon initial collection. In both cases, new logs are collected.

Note: Historical logs cannot be collected after an agent has begun collecting logs.

Log File Path

One or more paths to be used by the agent to locate the log files. Represents the location of the log files to be read.

Note: The Path value cannot end at a directory—the final portion of the path must represent a file name or set of files (using wildcard characters). You can use wildcards for both files and directories.

Each source is limited to entry of 16 paths. This setting must include a path and a file spec. For example: C:\Program Files\apache-tomcat-*\logs\*.log. In this case, the file spec is all files with a ".log" extension in the specified path.

If you cannot use wildcards to specify multiple files, you can add additional paths to accommodate the differences in path locations on a specific endpoint agent. This might be due to installation locations or version information. Only the paths with valid locations and files on the specific endpoint agent are used, and the others are ignored.

For many event source types, there is a default path. If so, you only need to enter a path if the log files are not stored in the standard directory for that event source type.

Note: This can be a standard Windows pathname (such as C:\Program Files\Apache\error_logs\logfile.log) or a UNC (Universal Naming Convention) pathname (\\host-name\share-name\file-path). For more details about UNC paths, see Endpoint Sources - Policies below.

Exclusion Filters

An optional list of regex patterns which can be used to filter out any logs that match the patterns. Each separate filter should be entered on a new line. Each source is limited to 16 exclusion filters.

Note: Each filter needs to be entered as a valid regex string, or the system does not allow you to save it.

Advanced Settings

Source Alias

Optionally, enter a hostname, IPv4 or IPv6 address to identify individual sources. This is recommended when there are two or more sources of the same type on the same server: For example, a server that runs two instances of Apache web server.

Note: This value only rarely needs to be entered. One example is if you have more than one Web Server, and they are running different Apache servers.

Note the following:

• If you enter a value for this parameter, the event source is applicable to a single Endpoint server.
• This optional address or hostname is included in the meta for any logs originating from this source. This can be used by analysts to assist in identifying the source.
• Set a value for this parameter if two sources of the same event source type are configured in the same policy.
• This setting is not commonly needed: it is only useful if the policy is only applied to a single endpoint.

File Encoding

Specifies the type of character encoding of the log files. If Local Encoding is selected, the NetWitness Agent uses the default encoding of the Windows machine upon which it is running.

This setting must match the encoding of the log files, or they will not be processed correctly.

Note: UTF-8/ASCII is recommended (and the default). UTF-8 is a super-set of ASCII

Note that all logs are re-encoded to UTF-8 before being sent to the NetWitness.

Scan Schedule

Run a scheduled scan if you want to receive regular snapshots from a host. Scan snapshots provide detailed information about processes and files loaded on the memory. By default, this option is disabled.
You can also run a manual scan from the Hosts view.

Note: The following scan schedule options are available only when the scan schedule is enabled.
The values entered are specific to the agent time zone.

Effective Date

Date when the policy takes effect. If you do not want this policy to take effect as soon as it is applied to a group and published, set an effective date that is in the future. By default, this is set to the current date.

Determines how often the scheduled scan runs on a host. By default, this is set to every week. Every network is different and the frequency should balance the needs of the analysts for current data, availability to review the data, and how systems deal with the load of the generated data.

Select Days or Weeks:

• Days: Select the number of days of the scan frequency. You can set a schedule to scan every n days, where n is 1, 2, 3, 4, 5, 6, 10, 15, or 20. For example, to scan every third day, select 3.
• Weeks: Select after how many weeks the policy scan should be initiated and on which day of the week the policy scan should initiate. For example, to scan every other Wednesday, choose 2 and W.

Start Time

Time when the scheduled scan starts to run on a host. By default, this is set to 9:00. This is the local host time, meaning that scans across a global ,,,,,,, ,,,,,,, select 19:30.