Certification Program

RSA NetWitness Endpoint Administration Exam Guide

The RSA NetWitness Endpoint Certified Administrator is based on the critical job functions typically expected by those providing RSA NetWitness Endpoint services.


An RSA NetWitness Endpoint Administrator may work in professional services within RSA, an RSA Partner organization, or an organization using RSA NetWitness Endpoint.


The expertise expected of an RSA NetWitness Endpoint Administrator typically includes the following areas:

  • An in-depth knowledge of RSA NetWitness Endpoint technology
  • Ability to plan, design, and implement an RSA NetWitness Endpoint solution
  • Aptitude and proficiency with managing RSA NetWitness Endpoint deployments and configurations
  • Ability to support RSA NetWitness Endpoint deployments, providing knowledge transfer of operations, and other guidance to system administrators and security analysts


Candidate Background and ExperienceAn RSA NetWitness Endpoint Administrator candidate should have a minimum of two years of professional experience in one or more of the following technical areas and understand how these technologies relate to the RSA NetWitness Endpoint product:


  • IT admin-level knowledge of Windows and Active Directory and any other operating systems relevant to your environment
    - macOS
    - Linux
  • Network and Internet security administration
    - Information security policy implementation
    - Network security tools


Examination Domains

The RSA NetWitness Endpoint Administration examination is comprised of four major Domains (subject areas). Each Domain is represented by a series of questions designed to evaluate competence and knowledge of the elements relating to that domain. The following table approximates the importance of each domain in the exam:


Domain% of Examination
1.0: RSA NetWitness Endpoint User Interface20 %
2.0: RSA NetWitness Endpoint Architecture25 %
3.0: RSA NetWitness Endpoint Installation25%
4.0: RSA NetWitness Endpoint Administration30%


Domain 1.0: RSA NetWitness Endpoint User Interface
The RSA NetWitness Endpoint Administrator must have a comprehensive knowledge of the product’s default interface, the methods available for customizing the interface, and familiarity with features visible by default and available in the various areas of the User Interface.


Content Areas

  •  Machines View
    - Interpret status, threat indicator, and properties fields
    - Optional fields of content hidden by default
  • Modules View
    - Filtering, threat indicator, and properties fields
    - Optional fields of content hidden by default
  • Other interface areas
    - Main Menu: Dashboard, InstantIOCs, IP List, Downloads, Events, Blocking
    - Other options: Operating System tabs, Restore Layout, Refresh


Domain 2.0: RSA NetWitness Endpoint Architecture
The RSA NetWitness Endpoint Administrator must have a comprehensive knowledge of the RSA NetWitness Endpoint product, component architecture, requirements, and typical configuration options.


Content Areas

  •  ConsoleServer and SQL database
  • Agent and Agent Packager
  • Remote Agent Relay functionality


Domain 3.0: RSA NetWitness Endpoint Installation
The RSA NetWitness Endpoint Administrator must have the knowledge to install, connect, and configure all components of an RSA NetWitness Endpoint deployment.


Content Areas

  • SQL Database creation
  • ConsoleServer installation
    - Options, license, CID
  • Agent deployment


Domain 4.0: RSA NetWitness Endpoint Administration

The RSA NetWitness Endpoint Administrator must be able to manage RSA NetWitness Endpoint servers and agents, and execute typical day-to-day administrative functions.


Content Areas

  • Managing NetWitness Endpoint deployment
    - Agent addition
    - Preparation for NetWitness Endpoint upgrade
    - Functionality of RSA Live Connect Threat Intelligence Service
    - Global parameter setting and relevant performance trade-offs
  • Machine Groups and Scans
    - Machine Group creation
    - Scan definition and relevant performance trade-offs
  • User and Role management
    - Role creation and assignment
    - User creation and association with roles
    - Permissions details


Examination Preparation


Product Training
Although RSA NetWitness Endpoint product training is not a strict requirement in preparation for the RSA NetWitness Administration Examination, it is highly recommended. Analysis of test results of RSA Certification exams indicates that a majority of candidates who attend training prior to testing are more likely to successfully pass the exam on their first attempt.


For full and detailed descriptions of RSA NetWitness Endpoint course offerings, visit: https://community.rsa.com/community/training/netwitness


Product Experience
Many of the areas addressed by the RSA NetWitness Endpoint Administration exam will be familiar to the candidate who has worked with the product.


The RSA NetWitness Endpoint Administration exam content areas cover a wide range of solution functions because an administrator may be called upon to perform deployments, troubleshoot issues, plan and execute upgrades and expansions, work closely with and educate system administrators and other personnel, and maintain the day-to-day operation of an RSA NetWitness Endpoint implementation.


Examination Details


Testing Centers, Locations, and Registration


The RSA NetWitness Endpoint Administration examination is administered by the Pearson VUE organization – an internationally known examination provider. Examination centers are located worldwide. Visit the Pearson VUE web site (http://pearsonvue.com/rsa/) and use the Test Center Locator to find a testing facility convenient to you.


You may also use the Pearson VUE site to create a personal login account and register for an exam. The RSA NetWitness Endpoint Administration exam code is 050-43-NWE-ADMIN01.


Exam Questions


The RSA NetWitness Endpoint Administrator exam consists of 70 questions to be completed in 85 minutes. The exam consists of multiple-choice and multiple-response type questions. The exam is computer-based and closed book – you may not utilize any printed material, personal computers, calculators, cell phones, etc. during the test.


Exam Costs
The fee for taking the exam is US$ 150.00.


Language Availability

The RSA NetWitness Endpoint Administration exam is available in North American English.


What to expect at the Testing Center

You must present two forms of identification; one of which is a photo identification.


You will be required to electronically accept the terms of an RSA Certification Program Non-Disclosure Agreement before beginning the examination. You are given an additional 5 minutes above and beyond the examination time to read this agreement before accepting.


Re-taking the Exam
There is no limit on the number of times that you can re-take the certification exam. However, to maintain integrity and confidentiality of the test items, 14 days is the required elapsed time before retaking the test a third time. Please note that you must pay the full exam fee each time that you retake the

No ratings
Version history
Last update:
‎2019-04-17 01:13 PM
Updated by:
Article Dashboard