The RSA NetWitness Logs & Network Analyst examination is based on the critical job functions that an individual would typically be expected to perform with competence when performing analysis using RSA NetWitness Logs & Network.
The major job functions expected of an RSA NetWitness Logs & Network Analyst typically consist of the following major areas of job role responsibility:
▪ An in-depth knowledge about RSA NetWitness Logs & Network technology
▪ A working knowledge of how various components (servers, hosts, and other ancillary devices) function together to monitor and help security analysts discover, investigate, and remediate advanced threats
▪ Analysis and hunting on both packets and logs using recommended methods
▪ Analysis of network traffic for suspicious activity
▪ Creation of rules for specific use cases
Candidate Background and Experience
An RSA NetWitness Logs & Network Analyst candidate should have a minimum of two years of professional experience in one or more of the following technical areas and understand how these technologies relate to and integrate with the RSA NetWitness Logs & Network product:
▪ Previous experience in computer and Network operations, operating systems and information security.
▪ Web and Application Servers and Browsers.
▪ Analysis of network traffic and logs to identify potential threats.
The RSA NetWitness Logs & Network Analyst exam is comprised of four major Domains (subject areas). Each Domain is represented by a series of questions designed to evaluate competence and knowledge of elements relating to that domain. The following table describes the proportion of the examination that relates to each domain:
% of Examination
|3.0: Investigation Techniques||45%|
Domain 1.0: ESA
The RSA NetWitness Logs & Network Analyst must have a fundamental knowledge of Event Stream Analysis functionality and rules.
▪ ESA Rules
- Basic rules
▪ Event Correlation
- Event time
Domain 2.0: Hunting
The RSA NetWitness Logs & Network Analyst must have a fundamental knowledge of how to use the product to find potential threats.
- Hunting Techniques
- Hunting Pack
▪ Attack characteristics
▪ Event Analysis
Domain 3.0: Investigation Techniques
The RSA NetWitness Logs & Network Analyst must have a fundamental knowledge of investigation functionality and techniques used to find interesting metadata.
▪ Meta Creation
- Index values
- Index files
▪ Investigate UI
- Meta key info
- Meta key order
- Custom column groups
- Context hub
Domain 4.0: Rules
The RSA NetWitness Logs & Network Analyst must have a fundamental knowledge of the types of rules and how they are used in an investigation.
▪ Application Rules
▪ Report Rules
Although RSA NetWitness Logs & Network product training is not a strict requirement in preparation for the exam, it is highly recommended.
Analysis of test results of RSA Certification exams indicates that a majority of candidates who attend training prior to testing are more likely to successfully pass the exam on their first attempt.
For full and detailed descriptions of RSA NetWitness Logs & Network course offerings, visit: https://community.rsa.com/community/training/netwitness
Many of the areas addressed by the RSA NetWitness Logs & Network Analyst exam will be familiar to the candidate who has worked with the RSA NetWitness Logs & Network product.
The RSA NetWitness Logs & Network Analyst exam content areas cover a wide range of RSA NetWitness Logs & Network product functions because an RSA NetWitness Logs & Network Analyst may be called upon to detect, analyze and respond to threats using a variety of methods.
Testing Centers, Locations, and Registration
The RSA NetWitness Logs & Network Analyst examination is administered by the Pearson VUE organization – an internationally known examination provider. Examination centers are located worldwide. Visit the Pearson VUE web site (http://pearsonvue.com/rsa/) and use the Test Center Locator to find a testing facility convenient to you.
You may also use the Pearson VUE site to create a personal login account and register for an exam. The RSA NetWitness Logs & Network Analysis exam code is 050-11-NWLN-ANLYST01.
The RSA NetWitness Logs & Network Analyst exam consists of 70 questions to be completed in 85 minutes. The exam consists of multiple-choice, multiple-response, or true/false type questions. The exam is computer-based and closed book – you may not utilize any printed material, personal computers, calculators, cell phones, etc. during the test.
The minimum passing score is 70%. Test results are calculated automatically at the conclusion of the test and testing center personnel can often provide you with an authorized copy of your results before you leave the testing center.
The fee for taking the exam is US$ 150.00.
The RSA NetWitness Logs & Network Analyst exam is available in North American English.
What to expect at the Testing Center
You must present two forms of identification; one of which is a photo identification.
You will be required to electronically accept the terms of an RSA Certification Program Non-Disclosure Agreement before beginning the examination. You are given an additional 5 minutes above and beyond the examination time to read this agreement before accepting.
Re-taking the Exam
There is no limit on the number of times that you can re-take the certification exam. However, to maintain integrity and confidentiality of the test items, 14 days is the required elapsed time before retaking the test a third time. Please note that you must pay the full exam fee each time that you retake the