RSA NetWitness Platform Foundations
Schedule
Start | End | Duration | Location | Details |
---|
Course Details
RSA NetWitness Platform Foundations
Duration: 3 Days
Course Code: RSANWF
Prerequisite:
Students should be familiar with basic computer architecture, networking fundamentals and general information security concepts. Basic knowledge of the TCP/IP protocol stack is beneficial.
Course Description:
This foundations course focuses on the core features and functions of the RSA NetWitness Platform for Administrators and Analysts.
This training provides a foundational overview of the core components of RSA NetWitness Platform. Students gain insight into the core concepts, uses, functions and features and also gain practical experience by performing a series of hands-on labs.
Course Objective:
Upon Completion of this Course, you will accomplish following:
• Describe the RSA NetWitness Platform architecture and data flow
• Describe the platform’s core components and functions
• Navigate and customize the user interface
• Describe how metadata is created and stored
• Describe parsing and indexing concepts
• Differentiate between meta keys, meta values, and sessions/events
• Use event views to perform simple analysis
• Investigate data using queries, pivots and drill points
• Describe data filtering techniques
• Create new meta values using rules and feeds
• Deploy LIVE content
• Describe the concept of data correlation and the use of ESA
• Describe Reporting Engine basics
• Generate alerts with ESA and the Reporting Engine
• Create and manage incidents in the RESPOND Module
• Describe Endpoint Insights features and functions
• Configure the Endpoint Insights Agent and view Endpoint data
• Describe the role of UEBA
• Describe Orchestrator concepts
Intended Audience:
Anyone new to RSA NetWitness Platform.
Course Outline:
RSA NetWitness Platform Overview
• RSA NetWitness Platform components and architecture
• RSA NetWitness Data
• RSA NetWitness Interface
Investigation Basics
• Investigation views
• Customizing the investigation screens
• Viewing events
• Writing simple and complex queries
• Meta key indexing
• Customizing data and meta data displays
• Creating meta groups
• Creating custom column groups
• Performing simple investigations
• The Context Hub
Refining the Dataset
• Filtering data with rules
• Taxonomy concepts for metadata
• Using Application rules to create new meta
• Deploying content from RSA Live
• Describing how parsers populate meta keys
• Creating feeds
• Using alerts and metadata to investigate potential threats
Reporting Engine Basics
• Reporting Engine configuration options
• Deploying reports from RSA Live
• Creating reports
• Creating reporting alerts
Event Stream Analysis
• Configuring ESA
• Creating an ESA enrichment
• Creating ESA alerts
Incident Management and Respond
• Components of the RESPOND view
• Viewing alerts and incidents
• Incident Rules
Endpoint Insights Agent
• Configuring Endpoint Insights
• Endpoint investigation with Hosts and Files
• Viewing Endpoint data UEBA Concepts
• What is UEBA?
• UEBA user and entity analysis
Orchestrator Concepts
• What is Orchestrator?
• Orchestrator concepts