Access Training
for Customers/Partners
Access Training
for NetWitness Employees
Check out the newly released 11.6 ILT class here
Summary
This foundations course focuses on the core features and functions of the NetWitness Platform for Administrators and Analysts.
Overview
This classroom training provides a foundational overview of the core components of NetWitness Platform. Students gain insight into the core concepts, uses, functions and features and also gain practical experience by performing a series of hands-on labs.
Audience
Anyone new to NetWitness Platform.
Duration
3 days
Prerequisite Knowledge/Skills
Introduction to NetWitness Platform
Students should be familiar with basic computer architecture, networking fundamentals and general information security concepts. Basic knowledge of the TCP/IP protocol stack is beneficial.
Course Objectives
Upon successful completion of this course, participants should be able to:
- Describe the NetWitness Platform architecture and data flow
- Describe the platform’s core components and functions
- Navigate and customize the user interface
- Describe how metadata is created and stored
- Describe parsing and indexing concepts
- Differentiate between meta keys, meta values, and sessions/events
- Use event views to perform simple analysis
- Investigate data using queries, pivots and drill points
- Describe data filtering techniques
- Create new meta values using rules and feeds
- Deploy LIVE content
- Describe the concept of data correlation and the use of ESA
- Describe Reporting Engine basics
- Generate alerts with ESA and the Reporting Engine
- Create and manage incidents in the RESPOND Module
- Describe Endpoint Insights features and functions
- Configure the Endpoint Insights Agent and view Endpoint data
- Describe the role of UEBA
- Describe Orchestrator concepts
Course Outline
NetWitness Platform Overview
- NetWitness Platform components and architecture
- NetWitness Data
- NetWitness Interface
Investigation Basics
- Investigation views
- Customizing the investigation screens
- Viewing events
- Writing simple and complex queries
- Meta key indexing
- Customizing data and meta data displays
- Creating meta groups
- Creating custom column groups
- Performing simple investigations
- The Context Hub
Refining the Dataset
- Filtering data with rules
- Taxonomy concepts for metadata
- Using Application rules to create new meta
- Deploying content from RSA Live
- Describing how parsers populate meta keys
- Creating feeds
- Using alerts and metadata to investigate potential threats
Reporting Engine Basics
- Reporting Engine configuration options
- Deploying reports from RSA Live
- Creating reports
- Creating reporting alerts
Event Stream Analysis
- Configuring ESA
- Creating an ESA enrichment
- Creating ESA alerts
Incident Management and Respond
- Components of the RESPOND view
- Viewing alerts and incidents
- Incident Rules
Endpoint Insights Agent
- Configuring Endpoint Insights
- Endpoint investigation with Hosts and Files
- Viewing Endpoint data
UEBA Concepts
- What is UEBA?
- UEBA user and entity analysis
Orchestrator Concepts
- What is Orchestrator?
- Orchestrator concepts
If you have any questions, please contact your account manager or Contact Us directly!
