RSA NetWitness Orchestrator Built on ThreatConnect - Incident Response

Document created by Joseph Cantor Employee on Nov 2, 2020Last modified by Joseph Cantor Employee on Nov 2, 2020
Version 2Show Document
  • View in full screen mode

On-Demand Lab Details

Register

 

 

In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us

 

Summary

Looking for hands-on practice for the RSA NetWitness Orchestrator Built on ThreatConnect? This On-Demand Lab will teach you the skills for bridging RSA
NetWitness and third-party tools and alerts, and standardizing incident response with playbooks.

 

Overview

This On-Demand hands-on course outlines and demonstrates the use of RSA NetWitness Orchestrator Built on ThreatConnect for bridging RSA NetWitness and third-party tools and alerts, and standardizing incident response with playbooks. Fundamental concepts such as
incident definitions also covered. .


Audience

All security analysts and SOAR engineers employing Orchestrator Built on ThreatConnect and NetWitness platform.

 

Delivery Type
On-Demand Lab (self-paced eLearning with lab)


Duration
4 hours
Note: RSA University’s on-demand lab environment is provided for 10 hours of overall practice time over a 14-day period.


Accessing the Lab Environment
Lab exercises are performed in the RSA University virtual lab environment. The downloadable Lab Guide provides detailed instructions on access the environment. For more information please view the document Access RSA University Virtual Labs – available on the RSA University site:

RSA University Content


Prerequisite Knowledge/Skills

 

Learning Objectives

Upon successful completion of this course, participants should be able to:

  • Describe core RSA NWOTC functionality
  • Implement NetWitness integration
  • Prepare RSA NWOTC playbook data handling
  • Create and utilize custom playbooks for incident response
  • Utilize 3rd party integrations for collection and enrichment

 

Course Outline

  • Module 1: Orchestrator highlights
    • Explain the RSA NetWitness Platform components related to incident response.
    • Explain the Incident Response process using RSA NWOTC.
    • Explain the basics of RSA NWOTC functionality related to TIP and SOAR.
  • Module 2: RSA NetWitness Integration
    • Explain RSA NetWitness Respond, alerts and incidents.
    • Explain the ThreatConnect GitHub Repository.
    • Explain the RSA NWOTC Respond/Alerts Connector and a sample playbook.
  • Module 3: Customization Options
    • Explain Incident mapping.
    • Data handling (data field preparation).
  • Module 4: Playbook Creation
    • Explain the pre-requisites and configuration for building RSA NWOTC playbooks.]
    • Explain the MITRE ATT&CK framework and tagging.
  • Module 5: Conditional logic
    • Explain automatic Logic Branching decisions.
    • Explain manual steps.
  • Module 6: Third Party Product Integration]
    • Explain how to find supported third-party solutions.
    • Explain how to create a Slack space for integration.
    • Explain how to implement Slack/Orchestrator integration.
    • Explain how to use Microsoft WinRM to query and extract from a Windows endpoint.
    • Explain how to create a custom feed to be integrated into RSA NWOTC.
    • Explain how to implement a Python script to use in a playbook

 

 

 

 

On-Demand Lab Details

Register

 

 

In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us

Attachments

    Outcomes