RSA NetWitness Platform Foundations

Document created by Craig Hansen Employee on Feb 3, 2016Last modified by Joseph Cantor on Nov 6, 2019
Version 48Show Document
  • View in full screen mode

Schedule & Register

Schedule Only






In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us


This foundations course focuses on the core features and functions of the RSA NetWitness Logs & Network product for Administrators and Analysts.



This Instructor Led Training (ILT) course provides a foundational overview of the core components of RSA NetWitness Logs & Network. Students gain insight into the core concepts, uses, functions and features of RSA NetWitness Logs & Network and also gain practical experience by performing a series of hands-on labs.



Anyone new to RSA NetWitness Platform.



3 days (ILT)


Prerequisite Knowledge/Skills

Students should be familiar with basic computer architecture, networking fundamentals and general information security concepts. Basic knowledge of the TCP/IP protocol stack is beneficial.


Course Objectives

Upon successful completion of this course, participants should be able to:

  • Describe the NetWitness Logs & Network architecture, components and their functions
  • Describe how metadata is created
  • Differentiate between meta keys, meta values, and meta data
  • Investigate data using simple and complex queries
  • Customize the investigation display
  • Filter data using rules
  • Create new meta values using Application and Correlation rules and RSA Live content
  • Create alerts using ESA and reporting rules to track potential threats
  • Create and manage incidents


Course Outline

  1. RSA NetWitness Logs & Network Overview
    • What is RSA NetWitness Logs & Network?
    • RSA NetWitness Logs & Network architecture
    • Supported data sources
    • Key features and functions
    • Customizing the user interface
  2. Investigation Basics
    • What is metadata?
    • Differentiating between packets & network
    • Differentiating between data and metadata
    • Customizing the investigation screens
    • Viewing reconstructed events
    • Writing simple and complex queries
    • Describing the purpose of meta key indexing
    • Customizing data and meta data displays
    • Creating data visualizations
    • Creating meta groups
    • Creating custom column groups
    • Using complex queries, drills and views to perform investigations
  3. Refining the Dataset
    • Filtering data with rules
    • Taxonomy concepts for metadata
    • Using Application rules to create new meta
    • Using Correlation rules to create new meta
    • Deploying content from RSA Live to create new meta
    • Describing how parsers populate meta keys
    • Using alerts and metadata to investigate potential threats
    • Determining the cause of an incident
  4. Reporting and Alerting
    • Creating reports
    • Creating alerts to identify future threats
    • Creating ESA alerts
    • Managing incidents
    • Creating incidents


Course Numbers

ED-SA-TRAINUNIT (Training Units)




Schedule & Register

Schedule Only




In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us