This classroom-based training introduces security analysts and executives to the major features of RSA NetWitness Endpoint, including Instant Indicators of Compromise and the Modules and Machines interfaces.
This classroom-based training provides a general introduction to RSA NetWitness Endpoint analysis. Students will participate in both lecture and hands-on experience using the RSA NetWitness Endpoint Analytics tool. The course consists of about 50% hands-on lab work, using a virtual lab environment.
Anyone new to RSA NetWitness Endpoint interested in increasing their familiarity with the tool’s features and functions within the context of endpoint investigation and analysis.
1 day (ILT)
No prerequisite requirements but basic knowledge of malware, networking fundamentals and general security concepts is recommended.
Upon successful completion of this training, participants should be able to:
- Discuss what NetWitness Endpoint is and what it does
- Identify architecture components
- Review malicious modules
- Prioritize modules and endpoint machines by apparent threat level
- Navigate the NetWitness Endpoint interface to investigate suspicious files and processes
- Make basic NetWitness Endpoint customizations
- Perform basic analysis
- Module 1- What is Netwitness Endpoint?
- The ‘Enterprise Compromise Assessment Tool’
- Endpoint visibility
- Analytical tools
- Scan requests
- Module 2 – Architecture Overview
- NetWitness Endpoint server
- NetWitness Endpoint database
- Key directories
- Module 3 – ECAT Modules
- Module interface
- Daily responsibilities
- Indicators of compromise (IOC)
- Types of malicious modules
- Module 4 – ECAT Machines
- View customization
- Agent maintenance
- Module 5 – Analysis Basics
- Threat assessment
- Signatures and recognition
- Characteristics and behavior