RSA NetWitness Platform Content Creation 11.3

Document created by Connor Mccarthy Employee on Oct 30, 2017Last modified by Lisa Tiernan on Dec 10, 2019
Version 22Show Document
  • View in full screen mode

Schedule & Register

Schedule Only

On-Demand

 

 

In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us

 

Summary

This instructor-led course provides recommended methodologies for creating content to assist you in discovering, analyzing and resolving threats in RSA NetWitness Platform.

 

Overview

This course provides recommended methodologies for creating content to assist you in discovering, analyzing and resolving threats in RSA NetWitness Platform. Students will benefit from both lecture and hands-on lab exercises using a virtual environment to practice the techniques learned in class.

 

Audience

Anyone interested in creating content in RSA NetWitness to highlight and discover potential threats

 

Duration

2 days

 

Prerequisite Knowledge/Skills

Student should have completed or have comparable knowledge to what is provided in the following course:

RSA NetWitness Platform Foundations

 

Course Objectives

Upon successful completion of this course, participants should be able to:

  • Identify what content to use when
  • Describe the data model and process flow
  • Describe how to optimize content for performance and results
  • Monitor the performance of parsers
  • Create content for specific use cases
  • Create content from LIVE and other sources, such as STIX feeds
  • Create content using a recommended process
  • Create an alert taxonomy
  • Use reports to test the efficacy of rules
  • Create content for current threats
  • Whitelist normal traffic and false positives

 

Course Outline

Content Overview

  • Content types
  • When and how to use content
  • Data model
  • Data process flow
  • Performance considerations
  • Monitoring performance of alerts and parsers
  • Context menus
  • Content resources

Creating Content

  • Creating rules and alerts
  • Creating feeds and lists
  • Creating parsers

Deploying Content from Other Sources

  • LIVE content
  • STIX feeds
  • Entropy parser
  • JA3/JA3S encryption fingerprinting
  • Dashboards
  • MITRE ATT&CK Framework

Content Creation Techniques

  • Recommended methodology
  • Taxonomies
  • Using reporting to test rules
  • Creating content for current threats
  • Whitelisting normal traffic and false positives
  • Creating blacklists
  • Resolving unknown meta
  • Reusing meta keys

 

 

 

 

Schedule & Register

Schedule Only

On-Demand

 

 

In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us

Attachments

    Outcomes