RSA NetWitness Logs & Network Introduction to ESA

Document created by Craig Hansen Employee on Feb 4, 2016Last modified by Connor Mccarthy on Apr 12, 2018
Version 16Show Document
  • View in full screen mode

Register Now

 

 

                                                                                        

In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us

 

Summary

This on-demand learning presents a recommended approach to using RSA NetWitness Logs & Network Event Stream Analysis to detect threats as well as an overview of ESA features and functions.

 

Overview

This self-paced on-demand learning presents a recommended approach to threat analysis and identifies the role of Event Stream Analysis (ESA) in detecting threats. It provides an overview of ESA features and functions, provides recommendations to help you determine when to use ESA rules and covers configuration considerations.

 

Audience

Anyone interested in using RSA NetWitness Logs & Network Event Stream Analysis to detect threats.

 

Delivery Type

On-Demand Learning

 

Duration

45 minutes

 

Prerequisite Knowledge/Skills

Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:

 

 

Learning Objectives

Upon successful completion of this course, participants should be able to:

  • Describe a correlation approach
  • Describe ESA and its role in correlation
  • Describe the features and components of ESA
  • Identify when and how to use an ESA rule
  • Describe the basic rule builder
  • Describe how configuration settings affect ESA rules

 

Course Outline

  • A Correlation Approach
    • What is correlation?
    • Why correlation?
    • Detecting threats
    • Addressing the challenges - example
    • A Typical Solution: correlating everything
    • Why this approach is not effective
    • The correlation approach
    • Linking everything together
    • Anatomy of a threat indicator
  • ESA Overview
    • Where ESA fits in the NetWitness Logs & Network Architecture
    • What is ESA?
    • ESA views and components
    • Reporting, correlation and ESA alerts decision chart
    • When to use reports instead of ESA rules
    • The threat detection framework
    • Command and control detection module
  • Creating Basic Rules
    • Rule builder interface
    • Adding whitelists and blacklists
    • Alerts summary
    • ESA Live rules
  • Configuring ESA
    • Adding data sources to ESA
    • Configuring advanced settings
    • Configuring the threat framework for C2
    • Configuring trial rule memory thresholds
    • Configuring enrichments
    • What is the context hub?
    • Configuring the context hub
    • Creating lists

Register Now

 

 

In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us

Attachments

    Outcomes