RSA NetWitness Endpoint Foundations 11.4

Document created by Joseph Cantor Employee on Apr 2, 2020Last modified by Joseph Cantor Employee on Dec 14, 2020
Version 5Show Document
  • View in full screen mode




In order to register for a class, you need to first create a Dell Education account 

If you need further assistance, contact us


This classroom-based training introduces security analysts and administrators to the architecture and toolkit for detecting and investigating risk on endpoint



This classroom-based training provides a general introduction to RSA NetWitness Endpoint analysis. Students will participate in both lecture and hands-on experience using the RSA NetWitness Endpoint Analytics tool. The course consists of about 50% hands-on lab work, using a virtual lab environment.



Anyone new to RSA NetWitness Endpoint interested in increasing their familiarity with the tool’s features and functions within the context of endpoint investigation and analysis..



2 days


Recommended Prerequisite Knowledge/Skills

No prerequisite requirements but basic knowledge of malware, networking fundamentals and general security analysis concepts is recommended.


Course Objectives

Upon successful completion of this training, participants should be able to:

  • Describe what RSA NetWitness Endpoint is and what it does
  • Identify architecture components
  • Deploy a new endpoint agent
  • Interpret risk scores and alerts based on endpoint data
  • Explore metadata derived from endpoint scans
  • Customize data types available in user interface
  • Perform basic file and host analysis
  • Obtain file and memory samples for forensic analysis
  • Identify potentially malicious timestamp mismatches in MTF files


Course Outline

Module 1 – Introduction

  • What is RSA NetWitness Platform?
  • What is RSA NetWitness Endpoint?
  • Flagging and Remediation options
  • What is a File?
  • Component Overview
  • Typical Responsibilities
  • Interface Modules
  • RSA Live Content

Module 2 – Architecture

  • Overview of Component Complexity
  • High-level Data Flow
  • Seeing NetWitness Hosts and Services in Interface

Module 3 – Endpoint Agents, Hosts, and Scans

  • Insights vs. Advanced Agents
  • Agent deployment and uninstallation
  • Host view
  • Scheduled and On-Demand Scans
  • Policies, Groups, and Ranks

Module 4 – Risk Scores and Metadata

  • Host and File Risk Scores
  • Viewing & Interpreting Metadata

Module 5 – Files and Libraries

  • File viewing and filtering
  • Global vs. Local views
  • Customize display
  • File status
  • Export global files
  • Reset risk view
  • Certificate view
  • Libraries

Module 6 – Processes, Autoruns & Anomalies

  • Compare Files vs. Processes
  • Processes tree view
  • What are autoruns and anomalies?

Module 7 – Alerts and Incidents

  • Compare Incidents vs. Alerts
  • The Role of Respond
  • Create incidents manually
  • Assign Incident to Analyst

Module 8 – Malicious Behavior & App Rules

  • Threat Models
  • Techniques Detected By App Rules

Module 9 – Forensic Samples

  • Sample types
  • MTF download and Viewer
  • Timestomping Detection
  • Full System Dump
  • Process Dump










In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us