RSA NetWitness Endpoint Foundations

Document created by Connor Mccarthy Employee on Oct 24, 2017Last modified by Joseph Cantor on Nov 6, 2019
Version 36Show Document
  • View in full screen mode

Schedule & Register

Schedule Only




In order to register for a class, you need to first create a Dell Education account 

If you need further assistance, contact us


This classroom-based training introduces security analysts and executives to the major features of RSA NetWitness Endpoint, focusing on Advanced Endpoint functionality introduced in RSA NetWitness Platform 11.3.



This training provides a general introduction to RSA NetWitness Endpoint: it’s architecture and data flow, analysis workflow and interface, and some of the characteristics of malicious files and behavior it is designed to detect. The two days consist of about 50% lecture and 50% hands-on lab work in a virtual environment.



Anyone new to RSA NetWitness Endpoint interested in increasing their familiarity with the tool’s analysis and admin functionality. Familiarity with other RSA NetWitness Platform tools is recommended.



2 days


Recommended Prerequisite Knowledge/Skills

  • RSA NetWitness Platform Fundamentals
  • Basic knowledge of malware, networking fundamentals and general security concepts.


Course Objectives

Upon successful completion of this training, participants should be able to:

  • Define what NetWitness Endpoint is and what it does
  • Identify architecture components
  • Triage assessment of potentially malicious files and hosts by risk score
  • Navigate the NetWitness Endpoint interface to investigate suspicious files and processes
  • Customize the Endpoint interface 
  • Perform basic threat assessment in context of NetWitness metadata 


Course Outline

Module 1 – Introduction

  • The role of Endpoint
  • Event reporting
  • High-level data flow
  • Typical roles and workflow

Module 2 – Architecture

  • Overview
  • Detailed data flow and architecture
  • The Endpoint hybrid 

Module 3 – Agents, Hosts, and Scans

  • Advanced vs. Insights
  • Agent Deployment
  • Global Hosts View
  • On-Demand and Scheduled Scans

Module 4 – Risk Scores and Metadata

  • Interpreting scores
  • Global vs. Local scores
  • Endpoint Meta Keys

Module 5 – Files and Libraries

  • Threat assessment and file status
  • Signatures and recognition
  • Characteristics
  • Behavior

Module 6 – Processes, Autoruns, and Anomalies

  • Floating/fileless processes
  • Signatures
  • Registry alterations]
  • Hooked filenames and processes

Module 7 – Alerts and Incidents

  • Alert examples
  • Incident creation

Module 8 – Malicious Behavior

  • Malicious behavior cycle





Schedule & Register

Schedule Only




In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us