RSA NetWitness Platform Analysis 11.4

Document created by Joseph Cantor Employee on Apr 2, 2020Last modified by Joseph Cantor Employee on Apr 28, 2020
Version 4Show Document
  • View in full screen mode

Schedule & Register

Schedule Only

On-demand

 

 

 

In order to register for a class, you need to first create a Dell Education account 

if you need further assistance, contact us.

Summary

This instructor-led course provides experience using the features and functions of RSA NetWitness Platform to to respond to and investigate security incidents.

 

Overview

This classroom training provides hands-on experience using the RSA NetWitness Platform to investigate and document security incidents. The course consists of about 50% hands-on lab work, following a practical methodology from the incident queue through investigation, event reconstruction, damage assessment, and documentation using real-world use cases

 

Audience

Level 1 and Level 2 analysts relatively new to RSA NetWitness Platform, who wish to increase their familiarity with the tool’s features and functions within the context of incident response and analysis.

 

Duration

2 days

 

Prerequisite Knowledge/Skills

Students should have familiarity with the basic processes of cybersecurity analysis, including some knowledge of network architecture, the TCP/IP stack, networking protocols, and integrating log & network traffic to perform analysis on network-based security events.

 

Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:

RSA NetWitness Platform Foundations

 

Course Objectives

Upon successful completion of this course, participants should be able to:

  • Identify Analyst roles and SOC models
  • Describe incident types and methods to prioritize incidents
  • Describe the Incident Response process
  • Use analysis tools and interfaces to perform incident response
  • Describe the Investigative Methodology
  • Describe a systematic approach to investigate metadata
  • Describe the Investigation Model
  • Identify types of threats
  • Use the incident response process, the investigative methodology and tools to investigate multiple use cases using packets, logs and endpoint

 

Course Outline

  • Analysis Tools and Processes
    • Security Operations models
      • Security Operations Roles
      • SOC Models
      • Escalation Workflow
    • Incident Response Process
    • Incident Response Tools
      • Monitoring the Respond Interface
      • Assigning an Incident
      • Reviewing Threat Intelligence
      • Obtaining Event Details
      • Reviewing Logs
      • What Should You Look For?
      • Obtaining Additional Information
      • Performing Analysis
      • Investigating Events
      • Creating Meta Groups, Queries, Query Profiles,Custom Column Groups, and Profiles
      • Viewing Encrypted Traffic
      • Documenting the Incident
      • Closing/Escalating/Remediating the Incident
      • Analysis Methodology
  • Investigating Metadata
    • Investigative Methodology
      • Asking the Right Questions
      • Phase 1: Triage
      • Phase 2: Root Cause Analysis
      • Phase 3: Scoping Operations
      • Incident Types
      • Incident Response Process
      • Prioritizing Incidents
    • NetWitness Metadata
      • Layered Contextual Approach
      • Traffic Directionality
      • Network Layer Context Meta
      • Endpoint Process Meta
      • Endpoint Registry Meta
      • Endpoint Network-Process Meta
      • Windows Security Event Log Meta
      • Meta Groups
      • Compromise Meta
      • Session, Service and File Characteristics
    • Threat Examples
      • Phishing
      • Malware
      • Lateral Movement
      • Webshells
      • Command Control
      • Data Exfiltration
  • Analysis Use Cases
    • Responding to a Phishing incident using Packets
    • Responding to a Suspicious Activities incident using Logs
    • Responding to a Drive-by Download incident using Packets and Endpoint
    • Responding to an Apache Struts Exploit incident using Packets, Logs and Endpoint

 

 

Schedule & Register

Schedule Only

On-demand

 

 

In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us

Attachments

    Outcomes