About the Certification
This certification reflects the fundamental knowledge required of administrators managing NetWitness Platform deployments. The prerequisite for this certification is the NetWitness Certified Associate certification.
Who Should Take the Exam
Anyone with at least two years of experience as administrator using NetWitness Platform versions 11.3, 11.4, or 11.5.
Anyone who has successfully completed and mastered the content in these University courses:
- NetWitness Platform Administration I
- NetWitness Platform Administration II
- NetWitness Platform Content Creation
- NetWitness ESA EPL Rules
- NetWitness Using REST API
- NetWitness Log Parser Creation
- NetWitness Event Source Configuration
- NetWitness LUA Parsers for Logs
Additional Recommended Background and Experience
Certification candidates are most likely to pass with a minimum of two years of experience in at least one of the following technical areas:
- Network operations
- Information security analysis
- Operating systems
- IT administration
The NetWitness Certified Specialist – Administrator exam is comprised of several Domains or topical subject areas. Each Domain is represented by a series of questions designed to evaluate competence and knowledge relating to that area. Exam questions for this certification include the following Domains:
|Domain||% of Examination|
|Content Creation ||30%|
|General Product Knowledge||20%|
Domain: Content Creation
Topics include the various content created to serve the investigation goals of your organization, and tools related to creation and implementation.
- Distinguish between flex and log parsers
- Languages parsers can be written in
- Lua parser tokens
- Other content
- ESA basic and EPL rules
- Application rules
- Reporting rules
- Context menu actions
- STIX feeds
- CmdScript Plugin Collection
Domain: General Product Knowledge
Topics include the components every administrator must be familiar with when managing NetWitness Platform.
- NetWitness architecture
- NetWitness Services
Topics include the range of configuration activities required to enable NetWitness functionality.
- Endpoint agent creation/installation
- Endpoint policies
- Event source configuration
- Functionality enablement
- ESA alerts
- Data retention thresholds
Topics include a range of tools such as the general UI, REST API, and Health & Wellness alerts.
- Config view
- Health & Wellness policies and alerts
- REST API
- Services that can be monitored by REST
- Commands and their key parameters
Domain: User Management
Topics include role definitions and authentication.
- Privileges associated with each role
- Custom role requirements
- Identity providers
- Threat Aware Authentication
Although NetWitness Platform product training is not a strict requirement in preparation for the exam, it is highly recommended you complete the courses listed on the first page of this guide.
For more about NetWitness Platform course offerings, visit: https://community.rsa.com/community/training/netwitness
Testing Centers, Locations, and Registration
The examination is administered by Pearson VUE. Their examination centers are located worldwide. Visit the Pearson VUE web site, www.pearsonvue.com/rsa/ and use the Test Center Locator to find a testing facility convenient to you.
You may also use this site to create a personal login account and register for an exam. The exam code is 08-20-NW-SPEC-ADM-01.
The exam consists of 70 multiple choice questions to be completed in 85 minutes. One valid answer should be selected for each question. The exam is computer-based and closed book – you may not utilize any printed material, personal computers, calculators, cell phones, etc. during the test.
The minimum passing score is 70%. Test results are calculated automatically at the conclusion of the test and testing center personnel can often provide you with an authorized copy of your results before you leave the testing center.
The fee for taking the exam is US$ 150.00.
The NetWitness Certified Specialist – Administrator exam is available in North American English.
What to expect at the Testing Center
You must present two forms of identification; one of which is a photo identification.
You will be required to electronically accept the terms of a Certification Program Non-Disclosure Agreement before beginning the examination. You are given an additional 5 minutes above and beyond the examination time to read this agreement before accepting.
Re-taking the Exam
There is no limit on the number of times that you can re-take the certification exam. However, to maintain integrity and confidentiality of the test items, 14 days is the required elapsed time before retaking the test a third time. Please note that you must pay the full exam fee each time that you retake the exam.