RSA NetWitness Endpoint Tuning and Optimization

Document created by Elizabeth Maloney Employee on Oct 3, 2016Last modified by Elizabeth Maloney Employee on May 1, 2017
Version 5Show Document
  • View in full screen mode






In order to register for a class, you need to first create an EMC account
If you need further assistance, contact us




This on-demand lab presents the tasks required to optimize the deployment after a successful RSA NetWitness Endpoint installation.


This self-paced on-demand lab covers the crucial tasks that follow RSA NetWitness Endpoint installation. The creation of a Baseline kickstarts the list of trusted entities that allows RSA NetWitness Endpoint analysts to sift through the noise and focus on unknown files and processes. The course introduces ongoing whitelisting and
blacklisting methodologies. We also customize the RSA NetWitness Endpoint user interface and create custom Yara rules and Indicators of Compromise to reflect the hunting objectives of the organization. Make any Instant Indicator of compromise “alertable” to provide notifications. Lab exercises provide students with the ability to practice what they have. To maximize the value of your learning experience, this course also includes access to RSA University’s virtual environment.


Anyone responsible for the ongoing enhancement of an RSA NetWitness Endpoint deployment. Anyone who wants to optimize their RSA NetWitness Endpoint environment, including RSA NetWitness Endpoint analysts and administrators


Delivery Type
On-Demand Lab

1.5 hour course and 1 hour lab
Note: RSA University’s lab environment is provided for 10 hours of overall practice time over a 14-day period.

Accessing the Lab Environment
Lab exercises are performed in the RSA University virtual lab environment. The downloadable Lab Guide provides detailed instructions on access the environment. For more information please view the document Access RSA University Virtual Labs – available on the RSA University site: RSA University Content.


Prerequisite Knowledge/Skills
Students should have completed the following course or equivalent experience with
the tool:


Learning Objectives

Upon successful completion of this course, participants should be able to:

  • Create a baseline and perform ongoing whitelisting and blacklisting
  • Create custom Yara rules and Instant Indicators of Compromise
  • Customize the RSA NetWitness Endpoint user interface
  • Customize the Modules and Machines views
  • Create a new Yara rule
  • Create a custom IIOC
  • Create a Machine group and add an endpoint machine
  • Perform administrative tasks from the RSA NetWitness Endpoint User Interface


Course Outline

  • Module 1 - Introduction
    • RSA NetWitness Endpoint Threat Detection
    • Start with the Statement of Work
  • Module 2 - Optimize
    • What Modules Can RSA NetWitness Endpoint Evaluate?
    • Kickstart Whitelisting with a Baseline
    • Identify Gold Master Machines
    • Module Analysis
    • What is Hooking?
    • Edit Blacklist/Whitelist Status
    • Download modules for Analysis
  • Module 3 - Customize & Extend
    • Dashboard customization
    • Machine Groups
    • Agent annotation from UI
    • Agent administration from UI
    • Custom module display
  • Module 4 - Notify
    • Enable/Disable Alerts
    • IIOC Alert Types
    • Alert Delivery Methods
    • Enable Syslog Alerts
    • Alerting by Machine Group


Exercise 1: Set Module Display Option in Faceted Filtering
Exercise 2: Customize Display with Filter Editor
Exercise 3: Grouping Column Headers to Customize Display
Exercise 4: Create Whitelist
Exercise 5: Identify Suspicious Modules and Add to Blacklist
Exercise 6: Create Custom IIOC
Exercise 7: Modify IOC Level
Exercise 8: Create a Custom Machine Group
Exercise 9: Annotate Machine Status in Machines Table
Exercise 10: Administer Endpoint from Machines Table
Exercise 11: Create a Yara Rule
Exercise 12: Examine application with MS Strings
Exercise 13: Create an email/SMTP alert






In order to register for a class, you need to first create an EMC account
If you need further assistance, contact us