RSA NetWitness Platform Foundations 11.4

Document created by Joseph Cantor Employee on Apr 2, 2020Last modified by Joseph Cantor Employee on Dec 14, 2020
Version 7Show Document
  • View in full screen mode






In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us


This foundations course focuses on the core features and functions of the RSA NetWitness Platform for Administrators and Analysts.



This classroom training provides a foundational overview of the core components of RSA NetWitness Platform. Students gain insight into the core concepts, uses, functions and features and also gain practical experience by performing a series of hands-on labs.



Anyone new to RSA NetWitness Platform.



3 days (ILT)


Prerequisite Knowledge/Skills

Students should be familiar with basic computer architecture, networking fundamentals and general information security concepts. Basic knowledge of the TCP/IP protocol stack is beneficial.


Course Objectives

Upon successful completion of this course, participants should be able to:

  • Describe the RSA NetWitness Platform architecture and data flow
  • Describe the platform’s core components and functions
  • Navigate and customize the user interface
  • Describe how metadata is created and stored
  • Describe parsing and indexing concepts
  • Differentiate between meta keys, meta values, and sessions/events
  • Use event views to perform simple analysis
  • Investigate data using queries, pivots and drill points
  • Describe data filtering techniques
  • Create new meta values using rules and feeds
  • Deploy LIVE content
  • Describe the concept of data correlation and the use of ESA
  • Describe Reporting Engine basics
  • Generate alerts with ESA and the Reporting Engine
  • Create and manage incidents in the RESPOND Module
  • Describe Endpoint Insights features and functions
  • Configure the Endpoint Insights Agent and view Endpoint data
  • Describe the role of UEBA
  • Describe Orchestrator concepts


Course Outline


RSA NetWitness Platform Overview

  • RSA NetWitness Platform components and architecture
  • RSA NetWitness Data
  • RSA NetWitness Interface

Investigation Basics

  • Investigation views
  • Customizing the investigation screens
  • Viewing events
  • Writing simple and complex queries
  • Meta key indexing
  • Customizing data and meta data displays
  • Creating meta groups
  • Creating custom column groups
  • Performing simple investigations 
  • The Context Hub

Refining the Dataset

  • Filtering data with rules
  • Taxonomy concepts for metadata
  • Using Application rules to create new meta
  • Deploying content from RSA Live 
  • Describing how parsers populate meta keys
  • Creating feeds
  • Using alerts and metadata to investigate potential threats

Reporting Engine Basics

  • Reporting Engine configuration options
  • Deploying reports from RSA Live
  • Creating reports
  • Creating reporting alerts

Event Stream Analysis

  • Configuring ESA
  • Creating an ESA enrichment
  • Creating ESA alerts

Incident Management and Respond

  • Components of the RESPOND view
  • Viewing alerts and incidents
  • Incident Rules

Endpoint Insights Agent

  • Configuring Endpoint Insights
  • Endpoint investigation with Hosts and Files
  • Viewing Endpoint data

UEBA Concepts

  • What is UEBA?
  • UEBA user and entity analysis

Orchestrator Concepts

  • What is Orchestrator?
  • Orchestrator concepts











In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us