RSA NetWitness Endpoint Foundations 11.4

Document created by Joseph Cantor Employee on Apr 2, 2020Last modified by Joseph Cantor Employee on Jun 1, 2020
Version 4Show Document
  • View in full screen mode

Schedule & Register

Schedule Only

On-demand

 

 

In order to register for a class, you need to first create a Dell Education account 

If you need further assistance, contact us

Summary

This classroom-based training introduces security analysts and administrators to the architecture and toolkit for detecting and investigating risk on endpoint
hosts.

 

Overview

This classroom-based training provides a general introduction to RSA NetWitness Endpoint analysis. Students will participate in both lecture and hands-on experience using the RSA NetWitness Endpoint Analytics tool. The course consists of about 50% hands-on lab work, using a virtual lab environment.

 

Audience

Anyone new to RSA NetWitness Endpoint interested in increasing their familiarity with the tool’s features and functions within the context of endpoint investigation and analysis..

 

Duration

2 days

 

Recommended Prerequisite Knowledge/Skills

No prerequisite requirements but basic knowledge of malware, networking fundamentals and general security analysis concepts is recommended.

 

Course Objectives

Upon successful completion of this training, participants should be able to:

  • Describe what RSA NetWitness Endpoint is and what it does
  • Identify architecture components
  • Deploy a new endpoint agent
  • Interpret risk scores and alerts based on endpoint data
  • Explore metadata derived from endpoint scans
  • Customize data types available in user interface
  • Perform basic file and host analysis
  • Obtain file and memory samples for forensic analysis
  • Identify potentially malicious timestamp mismatches in MTF files

 

Course Outline

Module 1 – Introduction

  • What is RSA NetWitness Platform?
  • What is RSA NetWitness Endpoint?
  • Flagging and Remediation options
  • What is a File?
  • Component Overview
  • Typical Responsibilities
  • Interface Modules
  • RSA Live Content

Module 2 – Architecture

  • Overview of Component Complexity
  • High-level Data Flow
  • Seeing NetWitness Hosts and Services in Interface

Module 3 – Endpoint Agents, Hosts, and Scans

  • Insights vs. Advanced Agents
  • Agent deployment and uninstallation
  • Host view
  • Scheduled and On-Demand Scans
  • Policies, Groups, and Ranks

Module 4 – Risk Scores and Metadata

  • Host and File Risk Scores
  • Viewing & Interpreting Metadata

Module 5 – Files and Libraries

  • File viewing and filtering
  • Global vs. Local views
  • Customize display
  • File status
  • Export global files
  • Reset risk view
  • Certificate view
  • Libraries

Module 6 – Processes, Autoruns & Anomalies

  • Compare Files vs. Processes
  • Processes tree view
  • What are autoruns and anomalies?

Module 7 – Alerts and Incidents

  • Compare Incidents vs. Alerts
  • The Role of Respond
  • Create incidents manually
  • Assign Incident to Analyst

Module 8 – Malicious Behavior & App Rules

  • Threat Models
  • Techniques Detected By App Rules

Module 9 – Forensic Samples

  • Sample types
  • MTF download and Viewer
  • Timestomping Detection
  • Full System Dump
  • Process Dump

 

 

 

 

Schedule & Register

Schedule Only

On-demand

 

 

In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us

Attachments

    Outcomes