This examination is based on the critical job functions typically expected by those providing security analyst
services with RSA NetWitness Endpoint.
An RSA NetWitness Endpoint Analyst typically works in professional services, incident response, or another
security implementation role within RSA, within an RSA Partner organization, or within an organization using RSA
The expertise expected of an RSA NetWitness Endpoint security analyst includes in-depth knowledge in these areas:
- The characteristics and behavior of malicious software and related intrusion tactics
- The RSA NetWitness Endpoint technology and related technologies
- Ability to perform basic module analysis and event timeline reconstruction
Candidate Background and Experience
An RSA NetWitness Endpoint Analysis candidate should have a minimum of two years of professional experience in one or more of the following technical areas and understand how these technologies relate to the RSA NetWitness Endpoint product:
- IT admin-level knowledge of relevant operating systems
- Windows and Active Directory
- Threat analysis
- Intrusion lifecycle
- Intrusion tactics
- Static or dynamic malware analysis
The RSA NetWitness Endpoint Analysis examination is comprised of three major Domains (subject areas). Each
Domain is represented by a number of questions designed to evaluate competence and knowledge relating to
that domain. The following table approximates the importance of each domain in the exam:
|Domain||% of Examination|
|1.0: RSA NetWitness Endpoint User Interface||35 %|
|2.0: RSA NetWitness Endpoint Architecture||25 %|
|3.0: RSA NetWitness Endpoint Analysis Basics||40%|
Domain 1.0: RSA NetWitness Endpoint User Interface
The RSA NetWitness Endpoint security analyst must have a comprehensive knowledge of the product’s default
interface, the methods available for customizing the interface, and familiarity with features visible by default and
available in the various areas of the User Interface.
- Machines View
- Interpret status, threat indicator, and properties fields
- Optional fields of content hidden by default
- Modules View
- Filtering, threat indicator, and properties fields
- Optional fields of content hidden by default
- Other interface areas
- Main Menu: Dashboard, InstantIOCs, IP List, Downloads, Events
- Other options: Operating System tabs, Restore Layout, Refresh
Domain 2.0: RSA NetWitness Endpoint Architecture
The RSA NetWitness Endpoint security analyst must have a comprehensive knowledge of the RSA NetWitness
Endpoint product, component architecture, requirements, and typical configuration options.
- ConsoleServer and SQL database
- Agent and Agent Packager
- Remote Agent Relay functionality
Domain 3.0: RSA NetWitness Endpoint Analysis Basics
RSA NetWitness Endpoint security analysts must display the ability to perform basic threat analysis using the tool.
- Module analysis
- Process for baselining, whitelisting, and blacklisting
- IIOCs for malicious module characteristics and behaviors
- Criteria for blacklisting and 3rd party sources of contextual information
- Machine and Event analysis
- IIOCs for machine and threat prioritization
- Link modules to events via network and behavior tracking to perform timeline reconstruction
Although RSA NetWitness Endpoint product training is not a strict requirement in preparation for the RSA NetWitness Analysis Examination, it is highly recommended. Analysis of test results of RSA Certification exams indicates that a majority of candidates who attend training prior to testing are more likely to successfully pass the exam on their first attempt.
For full and detailed descriptions of RSA NetWitness Endpoint course offerings, visit:
Many of the areas addressed by the RSA NetWitness Endpoint Analysis exam will be familiar to the candidate who has worked with the RSA NetWitness Endpoint product.
The RSA NetWitness Endpoint Analysis exam content areas cover a wide range of solution functions because a security analysts should expect to not only analyze potential threats, but also customize and optimize the interface, research threats outside the RSA tool, work closely with and educate system administrators and other personnel, and contribute to the day-to-day operation of an RSA NetWitness Endpoint implementation.
Testing Centers, Locations, and Registration
The RSA NetWitness Endpoint Analysis examination is administered by the Pearson VUE organization – an internationally known examination provider. Examination centers are located worldwide. Visit the Pearson VUE website (http://pearsonvue.com/rsa/) and use the Test Center Locator to find a testing facility convenient to you.
You may also use the Pearson VUE site to create a personal login account and register for an exam. The RSA NetWitness Endpoint Analysis exam code is 050-43-NWE-ANALYST01.
The RSA NetWitness Endpoint Analysis exam consists of 70 questions to be completed in 85 minutes. The exam consists of multiple-choice and multiple-response type questions. The exam is computer-based and closed book– you may not utilize any printed material, personal computers, calculators, cell phones, etc. during the test. The minimum passing score is 70%. Test results are calculated automatically at the conclusion of the test and testing center personnel can often provide you with an authorized copy of your results before you leave the testing center.
The fee for taking the exam is US$ 150.00.
The RSA NetWitness Endpoint Analysis exam is available in North American English.
What to expect at the Testing Center
You must present two forms of identification; one of which is a photo identification.
You will be required to electronically accept the terms of an RSA Certification Program Non-Disclosure Agreement before beginning the examination. You are given an additional 5 minutes above and beyond the examination time to read this agreement before accepting.
Re-taking the Exam
There is no limit on the number of times that you can re-take the certification exam. However, to maintain integrity and confidentiality of the test items, 14 days is the required elapsed time before retaking the test a third time. Please note that you must pay the full exam fee each time that you retake the