RSA NetWitness Platform Analysis

Document created by Elizabeth Maloney Employee on Jul 8, 2016Last modified by Joseph Cantor on Sep 10, 2019
Version 51Show Document
  • View in full screen mode

Schedule & Register

Schedule Only





In order to register for a class, you need to first create an EMC account 

if you need further assistance, contact us.


This instructor led course provides experience using the features and functions of RSA NetWitness Logs & Network to perform forensic analysis on network-based security breaches.



This instructor-led classroom-based course provides hands-on experience using the RSA NetWitness Logs & Network tool to identify, investigate and remediate network-based security breaches on your enterprise network. The course consists of about 75% hands-on lab work, following practical use cases from the identification and investigation stages through event reconstruction, damage assessment, and remediation.



SOC analysts relatively new to RSA NetWitness Logs & Network, who wish to increase their familiarity with the tool’s features and functions within the context of SOC breach investigation and analysis.



2 days, including approximately 1 ½ days of hands-on lab exercises.


Prerequisite Knowledge/Skills

Students should have familiarity with the basic processes of cybersecurity forensic analysis, including some knowledge of network architecture, the TCP/IP stack, networking protocols, and integrating log & network traffic to perform analysis on network-based security events.


Students should have completed the following courses (or have equivalent knowledge) prior to taking this training: RSA NetWitness Logs & Network Foundations


Course Objectives

Upon successful completion of this course, participants should be able to:

  • Build dynamic dashboards to monitor network alerts
  • Create alerts to populate dashboards
  • Create alerts to populate meta keys
  • Use investigation and event reconstruction techniques to reconstruct breach events
  • Create reports to consolidate alerts across a configurable time period
  • Create alerts to generate incidents in the Incident Queue
  • Assign, document, and remediate incidents from within the Incident Queue
  • Identify, reconstruct, and remediate four sample use cases within the student laboratory SOC environment


Course Outline


  • A Structured Approach to Analysis
    • Risk Assessment
    • Baselining Traffic
    • Filtering and Carving Data
    • Creating Application Rules
    • Creating Meta Keys
    • Investigating Your Data
  • Identifying Threats
    • Protocol Anomalies
    • Abnormal traffic
    • Dynamic DNS servers
    • Uncommon or known-bad domains
    • Source and destination countries
    • Mismatched port and protocol
    • Suspicious activity on critical assets
    • Data Exfiltration
  • Common Attack Vectors
    • Phishing
    • Malware
    • Lateral Movement
    • Webshells
    • Privilege Escalation
    • Beaconing
    • Command and Control

Lab Exercises

Phishing Lab

  • Application Rules
  • Reporting Rules and Alerts
  • Dashboards
  • Incident Management Rules
  • Parsers
    • Drive-By Download Lab
      • Incident Management
      • Session Reconstruction
      • Meta Groups and Column Groups
      • Session Reconstruction
      • Incident Remediation
    • Webshell Lab
      • Application Rules
      • Reporting Rules and Alerts
      • Customizing the Display
      • Session Reconstruction
      • Expanding the Investigation
      • Creating an Incident
      • Creating a Report
      • Malicious Insider Lab
        • ESA Rules
        • ESA Alerts
        • Application Rules
        • Event Reconstruction
        • Incident Queue




Schedule & Register

Schedule Only




In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us