The NetWitness Specialist Analyst certification reflects the fundamental knowledge required of security analysts performing incident response and analysis with the NetWitness Platform. The prerequisite for this certification is the NetWitness Certified Associate certification.
$110 USD ⁓ 110 Training Credits
Exam Registration
for Customers/Partners
Exam Registration
for NetWitness Employees
Anyone with at least two years experience as an analyst using the NetWitness Platform (recommended versions 11.5 or 11.6)
and/or
Anyone who has successfully completed and mastered the content in these NetWitness Education courses:
- Introduction to NetWitness
- NetWitness Platform Foundations
- NetWitness Endpoint Foundations
- NetWitness Platform Analysis
- NetWitness Platform Intro to Hunting
Additional Recommended Background and Experience
Certification candidates are most likely to pass with a minimum of two years of experience in at least one of the following technical areas:
Take FREE Practice Test
for Customers/Partners
Take FREE Practice Test
for NW Employees
- Network operations
- Information security analysis
- Operating systems
- IT administration
The exam is comprised of several Domains or topical subject areas. Each Domain is represented by a series of questions designed to evaluate competence and knowledge of elements relating to that area. Exam questions for this certification include the following Domains:
|
Domain |
% of Examination |
|
Investigation |
30% |
|
Endpoint Investigation |
20% |
|
Hunting |
20% |
|
Incident Response |
15% |
|
NetWitness Metadata |
15% |
|
Total |
100% |
Investigation
Topics include the various techniques and tools used to investigate data in your organization.
Topic examples
- Investigative tools
- Navigate view
- Events view
- Queries
- Optimizing investigation
- Recommended methodology phases
- Profiles
- Enrichments for ESA alerts
Endpoint Investigation
Topics include the analysis tools provided by NetWitness Endpoint.
Topic examples
- Endpoint interface
- Risk score interpretation
- Risk score resets
- Reputations and signatures
- Endpoint investigation tools
- Application rules
- Blacklisting and whitelisting
- Image and kernel hook detection
- MFT analysis
- Endpoint memory dump
Hunting
Topics include the hunting tools provided by NetWitness Platform as well as recommended hunting methodologies and basic hunting terminology.
Topic examples
- Hunting tools
- Content Packs
- Hunting Guide
- Hunt Cards
- Context Hub
- Methodology and concepts for hunters
- Recommended methodology phases
- Traffic flow filtering
- Investigation feed
- WebShells
Incident Response
Topics include general Incident Response roles and processes.
Topic examples
- Incident Response model
- Typical roles
- Model types
- Recommended Incident Response processes
- Prioritization of alerts (triage)
- Incident creation and assignment
- Add events to incident
- Review incident metadata
NetWitness Metadata
Topics include characteristics of metadata in NetWitness, as well as hands-on metadata analysis techniques.
Topic examples
- Characteristics of metadata in NetWitness
- Definition of NetWitness metadata
- Unified Data Model
- NetWitness Investigation Model
- Analysis techniques
- Indicators of suspicious activity
- Context-level meta keys
- Network layer queries
Examination Preparation
Although NetWitness Platform product training is not a strict requirement in preparation for the exam, it is highly recommended you complete the courses listed.
For more about our NetWitness Platform course offerings, visit: https://community.netwitness.com/t5/netwitness-education-courses/tkb-p/netwitness-training
Exam Questions
The exam consists of 70 multiple choice questions to be completed in 85 minutes. One valid answer should be selected for each question. The exam is computer-based and closed book – you may not utilize any printed material, personal computers, calculators, cell phones, etc. during the test.
The minimum passing score is 70%. Test results are calculated automatically at the conclusion of the test and testing center personnel can often provide you with an authorized copy of your results before you leave the testing center.
Exam Costs
The fee for taking the exam is US$ 110.00.
Language Availability
NetWitness exams are available in North American English.
How is the testing conducted
Please be advise that we use the SABA Cloud testing platform to conduct the assessments. SABA uses remote proctoring technology to supervise the exam.
This help us ensure integrity of the exam, for additional details click here.
Technical Instructions before starting the exam:
Check your Internet Connectivity. Use Mozilla Firefox or Google Chrome browser. Clear your browser cache. Your Device/Laptop/PC should have a webcam. Allow Mic and Webcam access to browser. Avoid using Multiple Screens Avoid navigating to other browser tabs/windows
Re-taking the Exam
There is no limit on the number of times that you can re-take the certification exam. However, to maintain integrity and confidentiality of the test items, 14 days is the required elapsed time before retaking the test a third time. Please note that you must pay the full exam fee each time that you retake the exam.
Exam Registration
for Customers/Partners
Exam Registration
for NetWitness Employees
Additional resources
For additional questions please contacts us at education.support@netwitness.com
1 Comment
