RSA NetWitness Endpoint Foundations

Document created by Connor Mccarthy Employee on Oct 24, 2017Last modified by Joseph Cantor on Sep 10, 2019
Version 33Show Document
  • Comment0
  • View in full screen mode

Schedule & Register

Schedule Only

On-demand

 

 

In order to register for a class, you need to first create an EMC account 

If you need further assistance, contact us

Summary

This classroom-based training introduces security analysts and executives to the major features of RSA NetWitness Endpoint, including Instant Indicators of Compromise and the Modules and Machines interfaces.

 

Overview

This classroom-based training provides a general introduction to RSA NetWitness Endpoint functionality. Students will participate in both lecture and hands-on experience using the RSA NetWitness Endpoint tool. The two days consist of about 50% lecture and 50% hands-on lab work in a virtual environment.

 

Audience

Anyone new to RSA NetWitness Endpoint interested in increasing their familiarity with the tool’s analysis and admin functionality. Familiarity with other RSA NetWitness Platform tools is recommended.

 

Duration

2 days

 

Prerequisite Knowledge/Skills

  • RSA NetWitness Platform Fundamentals

Also recommended: basic knowledge of malware, networking fundamentals and general security concepts is recommended.

 

Course Objectives

Upon successful completion of this training, participants should be able to:

  • Define what NetWitness Endpoint is and what it does
  • Identify architecture components
  • Triage assessment of potentially malicious files and hosts by risk score
  • Navigate the NetWitness Endpoint interface to investigate suspicious files and processes
  • Customize the Endpoint interface 
  • Perform basic threat assessment in context of NetWitness meta 

 

Course Outline

Module 1 – Introduction

  • The role of Endpoint
  • Event reporting
  • High-level data flow
  • Typical roles and workflow

Module 2 – Architecture

  • Overview
  • Detailed data flow and architecture
  • The Endpoint hybrid 

Module 3 – Agents, Hosts, and Scans

  • Advanced vs. Insights
  • Agent Deployment
  • Global Hosts View
  • On-Demand and Scheduled Scans

Module 4 – Risk Scores and Metadata

  • Interpreting scores
  • Global vs. Local scores
  • Endpoint Meta Keys

Module 5 – Files and Libraries

  • Threat assessment
  • Signatures and recognition
  • Characteristics
  • Behavior

Module 6 – Processes

  • Floating/fileless processes
  • Signatures

Module 7 – Autoruns and Anomalies

  • Investigate registry alterations
  • Hooked filenames and processes

Module 8 – Alerts and Incidents

  • Alert examples
  • Incident creation

Module 9 – Malicious Behavior

  • Types and signs of malicious behavior
  • Activity tracking examples

 

 

 

 

Schedule & Register

Schedule Only

On-demand

 

 

In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us

Attachments

    Outcomes