RSA NetWitness Logs & Network Analysis

Document created by Elizabeth Maloney Employee on Jul 8, 2016Last modified by Connor Mccarthy on Jun 27, 2018
Version 46Show Document
  • View in full screen mode

Schedule & Register

Schedule Only

On-demand

 

 

 

 

In order to register for a class, you need to first 

create an EMC account if you need further assistance, contact us.

 

Summary

This instructor led course provides experience using the features and functions of RSA NetWitness Logs & Network to perform forensic analysis on network-based security breaches.

 

Overview

This instructor-led classroom-based course provides hands-on experience using the RSA NetWitness Logs & Network tool to identify, investigate and remediate network-based security breaches on your enterprise network. The course consists of about 75% hands-on lab work, following practical use cases from the identification and investigation stages through event reconstruction, damage assessment, and remediation.

 

Audience

SOC analysts relatively new to RSA NetWitness Logs & Network, who wish to increase their familiarity with the tool’s features and functions within the context of SOC breach investigation and analysis.

 

Duration

2 days, including approximately 1 ½ days of hands-on lab exercises.

 

Prerequisite Knowledge/Skills

Students should have familiarity with the basic processes of cybersecurity forensic analysis, including some knowledge of network architecture, the TCP/IP stack, networking protocols, and integrating log & network traffic to perform analysis on network-based security events.

 

Students should have completed the following courses (or have equivalent knowledge) prior to taking this training: RSA NetWitness Logs & Network Foundations

 

Course Objectives

Upon successful completion of this course, participants should be able to:

  • Build dynamic dashboards to monitor network alerts
  • Create alerts to populate dashboards
  • Create alerts to populate meta keys
  • Use investigation and event reconstruction techniques to reconstruct breach events
  • Create reports to consolidate alerts across a configurable time period
  • Create alerts to generate incidents in the Incident Queue
  • Assign, document, and remediate incidents from within the Incident Queue
  • Identify, reconstruct, and remediate four sample use cases within the student laboratory SOC environment

 

Course Outline

Lecture

  • A Structured Approach to Analysis
    • Risk Assessment
    • Baselining Traffic
    • Filtering and Carving Data
    • Creating Application Rules
    • Creating Meta Keys
    • Investigating Your Data
  • Identifying Threats
    • Protocol Anomalies
    • Abnormal traffic
    • Dynamic DNS servers
    • Uncommon or known-bad domains
    • Source and destination countries
    • Mismatched port and protocol
    • Suspicious activity on critical assets
    • Data Exfiltration
  • Common Attack Vectors
    • Phishing
    • Malware
    • Lateral Movement
    • Webshells
    • Privilege Escalation
    • Beaconing
    • Command and Control

Lab Exercises

Phishing Lab

  • Application Rules
  • Reporting Rules and Alerts
  • Dashboards
  • Incident Management Rules
  • Parsers
    • Drive-By Download Lab
      • Incident Management
      • Session Reconstruction
      • Meta Groups and Column Groups
      • Session Reconstruction
      • Incident Remediation
    • Webshell Lab
      • Application Rules
      • Reporting Rules and Alerts
      • Customizing the Display
      • Session Reconstruction
      • Expanding the Investigation
      • Creating an Incident
      • Creating a Report
      • Malicious Insider Lab
        • ESA Rules
        • ESA Alerts
        • Application Rules
        • Event Reconstruction
        • Incident Queue

 

 

 

Schedule & Register

Schedule Only

On-demand

 

 

In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us

Attachments

    Outcomes