RSA NetWitness Logs & Network Introduction to ESA

Document created by Craig Hansen Employee on Feb 4, 2016Last modified by Connor Mccarthy on Aug 9, 2018
Version 21Show Document
  • View in full screen mode

Access Training



                                                                                       In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us



This on-demand learning presents a recommended approach to using RSA NetWitness Logs & Network Event Stream Analysis to detect threats as well as an overview of ESA features and functions.



This self-paced on-demand learning presents a recommended approach to threat analysis and identifies the role of Event Stream Analysis (ESA) in detecting threats. It provides an overview of ESA features and functions, provides recommendations to help you determine when to use ESA rules and covers configuration considerations.



Anyone interested in using RSA NetWitness Logs & Network Event Stream Analysis to detect threats.


Delivery Type

On-Demand Learning



45 minutes


Prerequisite Knowledge/Skills

Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:



Learning Objectives

Upon successful completion of this course, participants should be able to:

  • Describe a correlation approach
  • Describe ESA and its role in correlation
  • Describe the features and components of ESA
  • Identify when and how to use an ESA rule
  • Describe the basic rule builder
  • Describe how configuration settings affect ESA rules


Course Outline

  • A Correlation Approach
    • What is correlation?
    • Why correlation?
    • Detecting threats
    • Addressing the challenges - example
    • A Typical Solution: correlating everything
    • Why this approach is not effective
    • The correlation approach
    • Linking everything together
    • Anatomy of a threat indicator
  • ESA Overview
    • Where ESA fits in the NetWitness Logs & Network Architecture
    • What is ESA?
    • ESA views and components
    • Reporting, correlation and ESA alerts decision chart
    • When to use reports instead of ESA rules
    • The threat detection framework
    • Command and control detection module
  • Creating Basic Rules
    • Rule builder interface
    • Adding whitelists and blacklists
    • Alerts summary
    • ESA Live rules
  • Configuring ESA
    • Adding data sources to ESA
    • Configuring advanced settings
    • Configuring the threat framework for C2
    • Configuring trial rule memory thresholds
    • Configuring enrichments
    • What is the context hub?
    • Configuring the context hub
    • Creating lists





Access Training



In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us