Certification Program

NetWitness Certified Associate

About the Certification
This certification reflects the fundamental knowledge required of both the analysts using the NetWitness Platform product and the administrators managing it. This certification is the prerequisite for the next-level NetWitness Specialist certification exams.


Who Should Take the Exam

Anyone with at least one year’s experience as administrator or analyst using NetWitness Platform versions 11.3, 11.4, or 11.5.


Anyone who has successfully completed and mastered the content in these courses:

  • Introduction to NetWitness
  • NetWitness Platform Foundations
  • NetWitness Endpoint Foundations
  • NetWitness Platform Administration I

Additional Recommended Background and Experience
Certification candidates are most likely to pass with a minimum of two years of experience in at least one of the following technical areas:

  • Network operations
  • Information security analysis
  • Operating systems
  • IT administration


Examination Domains:

The NetWitness Associate exam is comprised of several Domains or topical subject areas. Each Domain is represented by a series of questions designed to evaluate competence and knowledge of elements relating to that area. Exam questions for this certification include the following Domains:



Domain% of Examination
Investigate and Analysis 30%
General Product Knowledge20%
Event Stream Analysis (ESA) 5%


Domain: Investigation & Analysis
Topics include the components, content, and methods used by analysts to perform investigation and related tasks with NetWitness Platform.

Topic examples

  • General operation and analysis tools
    • Data capture
    • Data queries
    • Meta key manipulation
    • Navigate screen customization
  • Content
    • Parsers
    • Feeds
    • Application rules

Domain: Administration
Topics include NetWitness Platform infrastructure, deployment and maintenance processes, and tools used by administrators of NetWitness Platform.


Topic examples

  • Infrastructure functionality
    • Decoders
    • Brokers
    • Concentrators
    • Archiver
    • Overall data flow
    • Services
  • Content and customizations
    • ESA Rules
    • Context Menu Actions
    • Alert forwarding
    • Reporting Engine
    • IndexKeys


Domain: Endpoint
Topics include components, content, and processes used to investigate hosts and files.


Topic examples

  • Endpoint component functionality
    • Endpoint Log Hybrid
    • Packager
    • Relay server
  • Analysis tools
    • Local vs. Global scores
    • Blacklisting and whitelisting
    • File blocking


Domain: General Product Knowledge
Topics include basics about the NetWitness Platform, including components, services and databases.


Topic examples

  • Platform functionality and infrastructure
    • Distinguish functionality of Concentrators, Brokers, Archivers, Admin Server
    • Differentiate purpose of NetWitness Orchestrator, UEBA, Endpoint
    • Database types and roles
  • Concepts
    • Event sources
    • Live
    • Metadata and MetaKeys


Domain: ESA
Topics include use and functionality of ESA rules.


Topic examples

  • Components and concepts
    • Data sources
    • Enrichments
    • Rule Builder


Domain: Reporting
Topics include report creation and customization, as well as related infrastructure.


Topic examples

  • Report options
    • Charts
    • Lists
    • Alerts
    • Parameterization
  • Components
    • Databases
    • Rules


Examination Preparation


Product Training

Although NetWitness Platform product training is not a strict requirement in preparation for the exam, it is highly recommended you complete the courses listed on the first page of this guide.


For more about NetWitness Platform course offerings, visit: https://community.rsa.com/community/training/netwitness


Examination Details


Testing Centers, Locations, and Registration

The examination is administered by Pearson VUE. Their examination centers are located worldwide. Visit the Pearson VUE web site, www.pearsonvue.com/rsa/ and use the Test Center Locator to find a testing facility convenient to you.


You may also use this site to create a personal login account and register for an exam. The exam code is 07-20-NW-ASSOC01


Exam Questions

The exam consists of 70 multiple choice questions to be completed in 85 minutes. One valid answer should be selected for each question. The exam is computer-based and closed book – you may not utilize any printed material, personal computers, calculators, cell phones, etc. during the test.


The minimum passing score is 70%. Test results are calculated automatically at the conclusion of the test and testing center personnel can often provide you with an authorized copy of your results before you leave the testing center.


Exam Costs
The fee for taking the exam is US$ 150.00.


Language Availability
The Certified Associate – NetWitness exam is available in North American English.


What to expect at the Testing Center

You must present two forms of identification; one of which is a photo identification.


You will be required to electronically accept the terms of a Certification Program Non-Disclosure Agreement before beginning the examination. You are given an additional 5 minutes above and beyond the examination time to read this agreement before accepting.


Re-taking the Exam
There is no limit on the number of times that you can re-take the certification exam. However, to maintain integrity and confidentiality of the test items, 14 days is the required elapsed time before retaking the test a third time. Please note that you must pay the full exam fee each time that you retake the exam.

No ratings
Version history
Last update:
‎2020-11-09 06:25 PM
Updated by:
Article Dashboard