RSA NetWitness Endpoint Foundations

Document created by Connor Mccarthy Employee on Oct 24, 2017Last modified by Matthew Bradley on Nov 6, 2018
Version 31Show Document
  • View in full screen mode

Schedule & Register

Schedule Only




In order to register for a class, you need to first create an EMC account 

If you need further assistance, contact us


This classroom-based training introduces security analysts and executives to the major features of RSA NetWitness Endpoint, including Instant Indicators of Compromise and the Modules and Machines interfaces.



This classroom-based training provides a general introduction to RSA NetWitness Endpoint analysis. Students will participate in both lecture and hands-on experience using the RSA NetWitness Endpoint Analytics tool. The course consists of about 50% hands-on lab work, using a virtual lab environment.



Anyone new to RSA NetWitness Endpoint interested in increasing their familiarity with the tool’s features and functions within the context of endpoint investigation and analysis.



1 day


Prerequisite Knowledge/Skills

No prerequisite requirements but basic knowledge of malware, networking fundamentals and general security concepts is recommended.


Course Objectives

Upon successful completion of this training, participants should be able to:

  • Discuss what NetWitness Endpoint is and what it does
  • Identify architecture components
  • Review malicious modules
  • Prioritize modules and endpoint machines by apparent threat level
  • Navigate the NetWitness Endpoint interface to investigate suspicious files and processes
  • Make basic NetWitness Endpoint customizations
  • Perform basic analysis


Course Outline

  • Module 1 – What is NetWitness Endpoint?
    • The ‘Enterprise Compromise Assessment Tool’
    • Endpoint visibility
    • Analytical tools
    • Scan requests
  • Module 2 – Architecture Overview
    • Overview
    • NetWitness Endpoint server
    • NetWitness Endpoint database
    • Endpoints
    • Key directories
  • Module 3 – ECAT Modules
    • Module interface
    • Filters
    • Daily responsibilities
    • Indicators of compromise (IOC)
    • Types of malicious modules
  • Module 4 – ECAT Machines
    • Interface
    • Status
    • View customization
    • Groups
    • Agent maintenance
  • Module 5 – Analysis Basics
    • Threat assessment
    • Signatures and recognition
    • Characteristics and behavior
    • Context





Schedule & Register

Schedule Only




In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us