on Oct 24, 2017
In order to register for a class, you need to first create a Dell Education account
If you need further assistance, contact us
Summary
This classroom-based training introduces security analysts and executives to the major features of RSA NetWitness Endpoint, focusing on Advanced Endpoint functionality introduced in RSA NetWitness Platform 11.3.
Overview
This training provides a general introduction to RSA NetWitness Endpoint, including architecture and data flow, analysis workflow and interface, as well as characteristics of malicious files and behavior. The two days consist of about 50% lecture and 50% hands-on lab work in a virtual environment.
Audience
Anyone new to RSA NetWitness Endpoint interested in increasing their familiarity with the tool’s analysis and admin functionality. Familiarity with other RSA NetWitness Platform tools is recommended.
Duration
2 days
Recommended Prerequisite Knowledge/Skills
- RSA NetWitness Platform Foundations or equivalent knowledge
- Basic knowledge of malware, networking fundamentals and general security concepts.
Course Objectives
Upon successful completion of this training, participants should be able to:
- Define what NetWitness Endpoint is and what it does
- Identify architecture components
- Triage assessment of potentially malicious files and hosts by risk score
- Navigate the NetWitness Endpoint interface to investigate suspicious files and processes
- Customize the Endpoint interface
- Perform basic threat assessment in context of NetWitness metadata
Course Outline
Module 1 – Introduction
- The role of Endpoint
- Event reporting
- High-level data flow
- Typical roles and workflow
Module 2 – Architecture
- Overview
- Detailed data flow and architecture
- The Endpoint hybrid
Module 3 – Agents, Hosts, and Scans
- Advanced vs. Insights
- Agent Deployment
- Global Hosts View
- On-Demand and Scheduled Scans
Module 4 – Risk Scores and Metadata
- Interpreting scores
- Global vs. Local scores
- Endpoint Meta Keys
Module 5 – Files and Libraries
- Threat assessment and file status
- Signatures and recognition
- Characteristics
- Behavior
Module 6 – Processes, Autoruns, and Anomalies
- Floating/fileless processes
- Signatures
Module 7 – Autoruns and Anomalies
- Investigate registry alterations
- Hooked filenames and processes
Module 8 – Alerts and Incidents
- Alert examples
- Incident creation
Module 9 – Malicious Behavior
- Types and signs of malicious behavior
- Activity tracking examples
In order to register for a class, you need to first create a Dell Education account
If you need further assistance, contact us