RSA NetWitness Logs & Network Hunting

Document created by Craig Hansen Employee on Feb 4, 2016Last modified by Connor Mccarthy on Aug 8, 2018
Version 18Show Document
  • View in full screen mode

Access Training



In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us



This on-demand learning presents techniques prescribed by security experts for quickly locating anomalies on the network as well as methods for enhancing the data set to highlight suspicious activity.



This self-paced on-demand learning presents methods and techniques prescribed by security experts for quickly locating anomalies on the network and for enhancing the data set to highlight suspicious activity. It provides recommended strategies and processes for searching for threats, along with demonstrations of those techniques
against a laboratory dataset.



Anyone interested in using RSA NetWitness Logs & Network to locate anomalies on the network, and to isolate and identify suspicious activity.


Delivery Type

On-Demand Learning



90 minutes


Prerequisite Knowledge/Skills

Students should have completed the RSA NetWitness Logs & Network Foundations (3-day ILT) course prior to attending this course, or have equivalent experience and knowledge.


Students should be familiar with basic computer architecture, data networking fundamentals and general information security concepts. A background in Enterprise networking and data communications is required. Strong knowledge of the TCP/IP protocol stack as well as protocols such as DNS, RDP, SSH, ICMP, CIFS, and HTTP are highly recommended.


Course Objectives

Upon successful completion of this course, participants should be able to:

  • Describe a structured approach to analysis
  • List techniques for filtering and carving data
  • Use application rules, feeds and parsers to highlight threats
  • Identify HTTP protocol anomalies and associated threats
  • Identify RSA NetWitness Logs & Network Functions to use in analysis and creation of new intelligence
  • Create an alert taxonomy
  • Automate analysis using reports, alerts and incidents
  • Identify common indicators of compromise
  • Use recommended techniques, methods, and processes to resolve use cases


Course Outline

  1. Hunting Strategies
    • Identifying traffic directionality
    • Filtering baseline traffic with network and application rules
    • Identifying HTTP protocol anomalies
    • Identifying unique network traffic patterns generated by a variety of malicious exploits
    • Identifying the difference between network traffic generated by Trojans and normal browsing
    • Defining a taxonomy for alerts
    • Automating analysis with reports, charts, and incidents
  2. Identifying Common Indicators of Malicious Network Traffic
    • Unusual outbound network traffic
    • Anomalies in privileged user account activity
    • Geographical irregularities
    • Login red flags
    • Swells in database read volume
    • HTML response sizes
    • Large numbers of requests for the same file
    • Mismatched port/application traffic
    • Suspicious registry or system file changes
    • DNS request anomalies
    • Unexpected patching of systems
    • Bundles of data in the wrong place
    • Web traffic exhibiting on-human behavior






Access Training



In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us