RSA NetWitness Platform Analyst Exam Guide

Document created by Megan Henderson Employee on Apr 17, 2019Last modified by Joseph Cantor on Nov 11, 2019
Version 3Show Document
  • View in full screen mode

Introduction
The RSA NetWitness Platform Analyst examination is based on the critical job functions that an individual would typically be expected to perform with competence when performing analysis using RSA NetWitness Platform .

 

The major job functions expected of an RSA NetWitness Platform Analyst typically consist of the following major areas of job role responsibility:
An in-depth knowledge about RSA NetWitness Platform technology
A working knowledge of how various components (servers, hosts, and other ancillary devices) function together to monitor and help security analysts discover, investigate, and remediate advanced threats
Analysis and hunting on both packets and logs using recommended methods
Analysis of network traffic for suspicious activity
Creation of rules for specific use cases

 

Candidate Background and Experience
An RSA NetWitness Platform Analyst candidate should have a minimum of two years of professional experience in one or more of the following technical areas and understand how these technologies relate to and integrate with the RSA NetWitness Platform product:
Previous experience in computer and Network operations, operating systems and information security.
Web and Application Servers and Browsers.
Analysis of network traffic and logs to identify potential threats.

 

Examination Domains:

The RSA NetWitness Platform Analyst exam is comprised of four major Domains (subject areas). Each Domain is represented by a series of questions designed to evaluate competence and knowledge of elements relating to that domain. The following table describes the proportion of the examination that relates to each domain:

 

 

4.0: Rules


Domain

% of Examination
1.0: ESA10%
2.0: Hunting35%
3.0: Investigation Techniques45%
4.0: Rules10%
Total100%

 

Domain 1.0: ESA
The RSA NetWitness Platform Analyst must have a fundamental knowledge of Event Stream Analysis functionality and rules.

 

Content Areas
ESA Rules
- Basic rules
- Alerts
- Enrichments
Event Correlation
- Event time

 

Domain 2.0: Hunting
The RSA NetWitness Platform Analyst must have a fundamental knowledge of how to use the product to find potential threats.

 

Content Areas

Anomalies
- Protocols
- Patterns
Methodology
- Hunting Techniques
- Hunting Pack
Attack characteristics
Event Analysis

 

Domain 3.0: Investigation Techniques
The RSA NetWitness Platform Analyst must have a fundamental knowledge of investigation functionality and techniques used to find interesting metadata.

 

Content Areas
Meta Creation
- Parsers
- Feeds
- Rules
- Indexes
Queries
- Index values
- Index files
Investigate UI
- Meta key info
- Meta key order
- Views
- Timerange
- Custom column groups
- Context hub

 

Domain 4.0: Rules
The RSA NetWitness Platform Analyst must have a fundamental knowledge of the types of rules and how they are used in an investigation.

 

Content Areas
Application Rules
Report Rules

 

Examination Preparation

 

Product Training
Although RSA NetWitness Platform  product training is not a strict requirement in preparation for the exam, it is highly recommended.Analysis of test results of RSA Certification exams indicates that a majority of candidates who attend training prior to testing are more likely to successfully pass the exam on their first attempt.

 

For full and detailed descriptions of RSA NetWitness Platform course offerings, visit: https://community.rsa.com/community/training/netwitness

 

Product Experience
Many of the areas addressed by the RSA NetWitness Platform Analyst exam will be familiar to the candidate who has worked with the RSA NetWitness Platform product.

 

The RSA NetWitness Platform Analyst exam content areas cover a wide range of RSA NetWitness Logs & Network product functions because an RSA NetWitness Platform Analyst may be called upon to detect, analyze and respond to threats using a variety of methods.

 

Examination Details

 

Testing Centers, Locations, and Registration

 

The RSA NetWitness Platform Analyst examination is administered by the Pearson VUE organization – an internationally known examination provider. Examination centers are located worldwide. Visit the Pearson VUE web site (http://pearsonvue.com/rsa/) and use the Test Center Locator to find a testing facility convenient to you.

 

You may also use the Pearson VUE site to create a personal login account and register for an exam. The RSA NetWitness Platform Analysis exam code is 050-11-NWLN-ANLYST01.

 

Exam Questions

 

The RSA NetWitness Platform Analyst exam consists of 70 questions to be completed in 85 minutes. The exam consists of multiple-choice, multiple-response, or true/false type questions. The exam is computer-based and closed book – you may not utilize any printed material, personal computers, calculators, cell phones, etc. during the test.

 

The minimum passing score is 70%. Test results are calculated automatically at the conclusion of the test and testing center personnel can often provide you with an authorized copy of your results before you leave the testing center.

 

Exam Costs
The fee for taking the exam is US$ 150.00.

 

Language Availability
The RSA NetWitness Platform Analyst exam is available in North American English.

 

What to expect at the Testing Center

You must present two forms of identification; one of which is a photo identification.

 

You will be required to electronically accept the terms of an RSA Certification Program Non-Disclosure Agreement before beginning the examination. You are given an additional 5 minutes above and beyond the examination time to read this agreement before accepting.

 

Re-taking the Exam
There is no limit on the number of times that you can re-take the certification exam. However, to maintain integrity and confidentiality of the test items, 14 days is the required elapsed time before retaking the test a third time. Please note that you must pay the full exam fee each time that you retake the

Attachments

    Outcomes