RSA NetWitness Endpoint Analysis

Document created by Connor Mccarthy Employee on Oct 24, 2017Last modified by Joseph Cantor on Sep 10, 2019
Version 34Show Document
  • View in full screen mode

Schedule & Register

Schedule Only





In order to register for a class, you need to first  create an EMC account 

If you need further assistance, contact us


This in-depth, classroom-based experience enables RSA NetWitness Endpoint security analysts to use all major facets of the NetWitness Endpoint toolkit to identify malicious software and activity.



This instructor-led classroom-based training provides core essentials training for security analysts employing RSA NetWitness Endpoint. Students participate in an interactive lecture format and put into practice what they learn in instructor-assisted hands-on lab work in a simulated deployment.



This RSA NetWitness Endpoint training is intended as the core of Tier One security analysts or the fundamental knowledge required by experienced security analysts new to the tool.



2 days


Prerequisite Knowledge/Skills

Students should have familiarity with the basic processes of security forensic analysis

Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:

  • RSA NetWitness Endpoint Foundations (On-Demand Learning) or RSA NetWitness Endpoint Fundamentals (Classroom)


Course Objectives

Upon successful completion of this course, participants should be able to:

  • Schedule scans using machine groups
  • Interpret scan results based on Module and Machine context
  • Consider advanced threats employing key Windows executables and processes
  • Build a simple attack/intrusion timeline to further chronology-based investigation
  • Create a Yara signature based on a real-world Trojan.


Course Outline

  • Module 1 – Introduction
    • Expectations
    • ECAT as Context Detector
    • Ransomware Example
  • Module 2 – Workflows
    • Typical Roles
    • Level 1: Baseline and escalation
    • Level 2: Complete Analysis
    • Level 3: Malware forensics
    • Typical alert responses
  • Module 3 –Endpoint Scans
    • Organize by Machine Group
    • Scan parameters:
      1. Threat ratings
      2. Periodicity
      3. Basic vs. Full Scans
    • Results details
      1. Summary
      2. Downloaded
      3. Agent log
      4. Scan data
      5. More info
  • Module 4 – The Module Analysis Toolkit
    • IIOCs
    • Module Filters
    • External resources
  • Module 5 – Module Context
    • Module location
    • Proliferation (machine count)
    • File names
    • IOC combinations
    • Building a timeline
  • Module 6 – Windows Entities for Security Analysts
    • svchost.exe
    • Isass.exe
    • msiexec.exe
    • wmiPrvSe.exe
    • conhost.exe
    • Webshells
    • Mimikatz.exe
  • Module 7 – Tracking systems
    • Threat assessment
    • Signatures and recognition
    • Characteristics and behavior
    • Context
  • Module 8 – Yara

    • Purpose
    • Mechanics
    • Status
    • Rule Creation and Modification
    • Yara Rule Sources
    • Extract Signature from Trojan
    • Demonstration & Lab
  • Module 9 – Basic module forensics
    • Forensics toolkit in RSA NetWitness Endpoint
    • Other forensics tools
    • Demonstration & Lab




Schedule & Register

Schedule Only




In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us