RSA NetWitness Logs & Network Incident Management

Document created by Craig Hansen Employee on Feb 4, 2016Last modified by Connor Mccarthy on Apr 26, 2018
Version 16Show Document
  • View in full screen mode

Register Now



In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us



This on-demand learning presents a recommended approach to using RSA NetWitness Logs & Network Incident Management to triage and investigate incidents.



This on-demand learning will cover the roles and processes within a typical Security Operations Center (SOC), including the typical responsibilities of a Level 1, 2, and 3 Analyst, and the process for triaging and escalating incidents. Through a series of video demonstrations, you will experience a day in the life of the analysts using the Incident Management module in RSA NetWitness Logs & Network. You will follow an incident from discovery through close and examine how analysts at varying levels triage and investigate incidents.

Anyone interested in using RSA NetWitness Logs & Network Incident Management to triage and investigate incidents.

Delivery Type
On-Demand Learning



90 minutes


Prerequisite Knowledge/Skills

Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:


Course Objectives

Upon successful completion of this course, participants should be able to:

  • Identify the common roles in a Security Operations Center (SOC)
  • Define the duties of analysts
  • Define the tasks for Incident Management
  • Summarize the escalation process of Incident Management
  • Triage an incident from discovery through closure


Course Outline

  1. Incident Management Overview
    • What is IM?
    • Terminology
    • Roles within a SOC
      • The SOC Manager
      • The Analyst 1 role
      • The Analyst 2 role
      • The Analyst 3 role
    • Incident escalation process flow
    • SAIM User Interface
    • Creating an Incident Management
    • Dashboard
    • Incident Queue Timeline
    • IM Dashlets
    • Aggregation Rule basics
    • Aggregation Rule evaluation
    • Creating and Editing Aggregation Rules
    • Incident lifecycle
    • Remediation lifecycle
    • Configuring IM
  2. Analyst 1 Video Demonstrations
    • Investigate and Escalate Incidents
    • Close Incidents when Possible
  3. Analyst 2 Video Demonstration
    • Investigate and Close Incidents
  4. What's New in Incident Management?
    • Context Hub Overview
    • Threat Detection Framework
    • Demonstration Video



Register Now



In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us