RSA NetWitness Endpoint Foundations

Document created by Connor Mccarthy Employee on Oct 24, 2017Last modified by Joseph Cantor on Sep 10, 2019
Version 33Show Document
  • View in full screen mode

Schedule & Register

Schedule Only




In order to register for a class, you need to first create an EMC account 

If you need further assistance, contact us


This classroom-based training introduces security analysts and executives to the major features of RSA NetWitness Endpoint, including Instant Indicators of Compromise and the Modules and Machines interfaces.



This classroom-based training provides a general introduction to RSA NetWitness Endpoint functionality. Students will participate in both lecture and hands-on experience using the RSA NetWitness Endpoint tool. The two days consist of about 50% lecture and 50% hands-on lab work in a virtual environment.



Anyone new to RSA NetWitness Endpoint interested in increasing their familiarity with the tool’s analysis and admin functionality. Familiarity with other RSA NetWitness Platform tools is recommended.



2 days


Prerequisite Knowledge/Skills

  • RSA NetWitness Platform Fundamentals

Also recommended: basic knowledge of malware, networking fundamentals and general security concepts is recommended.


Course Objectives

Upon successful completion of this training, participants should be able to:

  • Define what NetWitness Endpoint is and what it does
  • Identify architecture components
  • Triage assessment of potentially malicious files and hosts by risk score
  • Navigate the NetWitness Endpoint interface to investigate suspicious files and processes
  • Customize the Endpoint interface 
  • Perform basic threat assessment in context of NetWitness meta 


Course Outline

Module 1 – Introduction

  • The role of Endpoint
  • Event reporting
  • High-level data flow
  • Typical roles and workflow

Module 2 – Architecture

  • Overview
  • Detailed data flow and architecture
  • The Endpoint hybrid 

Module 3 – Agents, Hosts, and Scans

  • Advanced vs. Insights
  • Agent Deployment
  • Global Hosts View
  • On-Demand and Scheduled Scans

Module 4 – Risk Scores and Metadata

  • Interpreting scores
  • Global vs. Local scores
  • Endpoint Meta Keys

Module 5 – Files and Libraries

  • Threat assessment
  • Signatures and recognition
  • Characteristics
  • Behavior

Module 6 – Processes

  • Floating/fileless processes
  • Signatures

Module 7 – Autoruns and Anomalies

  • Investigate registry alterations
  • Hooked filenames and processes

Module 8 – Alerts and Incidents

  • Alert examples
  • Incident creation

Module 9 – Malicious Behavior

  • Types and signs of malicious behavior
  • Activity tracking examples





Schedule & Register

Schedule Only




In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us