Certification Program

RSA NetWitness Endpoint Analysis Exam Guide

This examination is based on the critical job functions typically expected by those providing security analyst
services with RSA NetWitness Endpoint.


An RSA NetWitness Endpoint Analyst typically works in professional services, incident response, or another
security implementation role within RSA, within an RSA Partner organization, or within an organization using RSA
NetWitness Endpoint.


The expertise expected of an RSA NetWitness Endpoint security analyst includes in-depth knowledge in these areas:

  • The characteristics and behavior of malicious software and related intrusion tactics
  • The RSA NetWitness Endpoint technology and related technologies
  • Ability to perform basic module analysis and event timeline reconstruction


Candidate Background and Experience

An RSA NetWitness Endpoint Analysis candidate should have a minimum of two years of professional experience in one or more of the following technical areas and understand how these technologies relate to the RSA NetWitness Endpoint product:

  • IT admin-level knowledge of relevant operating systems
    - Windows and Active Directory
    - macOS
    - Linux
  • Threat analysis
    - Intrusion lifecycle
    - Intrusion tactics
    - Static or dynamic malware analysis


Examination Domains

The RSA NetWitness Endpoint Analysis examination is comprised of three major Domains (subject areas). Each
Domain is represented by a number of questions designed to evaluate competence and knowledge relating to
that domain. The following table approximates the importance of each domain in the exam:


Domain% of Examination
1.0: RSA NetWitness Endpoint User Interface35 %
2.0: RSA NetWitness Endpoint Architecture25 %
3.0: RSA NetWitness Endpoint Analysis Basics40%


Domain 1.0: RSA NetWitness Endpoint User Interface
The RSA NetWitness Endpoint security analyst must have a comprehensive knowledge of the product’s default
interface, the methods available for customizing the interface, and familiarity with features visible by default and
available in the various areas of the User Interface.


Content Areas

  • Machines View
    - Interpret status, threat indicator, and properties fields
    - Optional fields of content hidden by default
  • Modules View
    - Filtering, threat indicator, and properties fields
    - Optional fields of content hidden by default
  • Other interface areas
    - Main Menu: Dashboard, InstantIOCs, IP List, Downloads, Events
    - Other options: Operating System tabs, Restore Layout, Refresh


Domain 2.0: RSA NetWitness Endpoint Architecture
The RSA NetWitness Endpoint security analyst must have a comprehensive knowledge of the RSA NetWitness
Endpoint product, component architecture, requirements, and typical configuration options.


Content Areas

  • ConsoleServer and SQL database
  • Agent and Agent Packager
  • Remote Agent Relay functionality


Domain 3.0: RSA NetWitness Endpoint Analysis Basics
RSA NetWitness Endpoint security analysts must display the ability to perform basic threat analysis using the tool.


Content Areas

  • Module analysis
    - Process for baselining, whitelisting, and blacklisting
    - IIOCs for malicious module characteristics and behaviors
    - Criteria for blacklisting and 3rd party sources of contextual information
  •  Machine and Event analysis
    - IIOCs for machine and threat prioritization
    - Link modules to events via network and behavior tracking to perform timeline reconstruction


Examination Preparation


Product Training
Although RSA NetWitness Endpoint product training is not a strict requirement in preparation for the RSA NetWitness Analysis Examination, it is highly recommended. Analysis of test results of RSA Certification exams indicates that a majority of candidates who attend training prior to testing are more likely to successfully pass the exam on their first attempt.


For full and detailed descriptions of RSA NetWitness Endpoint course offerings, visit:


Product Experience
Many of the areas addressed by the RSA NetWitness Endpoint Analysis exam will be familiar to the candidate who has worked with the RSA NetWitness Endpoint product.


The RSA NetWitness Endpoint Analysis exam content areas cover a wide range of solution functions because a security analysts should expect to not only analyze potential threats, but also customize and optimize the interface, research threats outside the RSA tool, work closely with and educate system administrators and other personnel, and contribute to the day-to-day operation of an RSA NetWitness Endpoint implementation.


Examination Details


Testing Centers, Locations, and Registration


The RSA NetWitness Endpoint Analysis examination is administered by the Pearson VUE organization – an internationally known examination provider. Examination centers are located worldwide. Visit the Pearson VUE website (http://pearsonvue.com/rsa/) and use the Test Center Locator to find a testing facility convenient to you.


You may also use the Pearson VUE site to create a personal login account and register for an exam. The RSA NetWitness Endpoint Analysis exam code is 050-43-NWE-ANALYST01.


Exam Questions


The RSA NetWitness Endpoint Analysis exam consists of 70 questions to be completed in 85 minutes. The exam consists of multiple-choice and multiple-response type questions. The exam is computer-based and closed book– you may not utilize any printed material, personal computers, calculators, cell phones, etc. during the test. The minimum passing score is 70%. Test results are calculated automatically at the conclusion of the test and testing center personnel can often provide you with an authorized copy of your results before you leave the testing center.


Exam Costs
The fee for taking the exam is US$ 150.00.


Language Availability

The RSA NetWitness Endpoint Analysis exam is available in North American English.


What to expect at the Testing Center

You must present two forms of identification; one of which is a photo identification.


You will be required to electronically accept the terms of an RSA Certification Program Non-Disclosure Agreement before beginning the examination. You are given an additional 5 minutes above and beyond the examination time to read this agreement before accepting.


Re-taking the Exam
There is no limit on the number of times that you can re-take the certification exam. However, to maintain integrity and confidentiality of the test items, 14 days is the required elapsed time before retaking the test a third time. Please note that you must pay the full exam fee each time that you retake the

No ratings
Version history
Last update:
‎2019-04-17 01:36 PM
Updated by:
Article Dashboard