Comment: Free training is great, But it lacks logs
I wanted to offer my feedback on the free NetWitness logs and packets training. The courses are great (the Hunting course in particular) and I certainly learnt a lot, however the one criticism I have is that it focuses on packets and misses anything relating to logs.
I would like to see a bit more about integrating both packet and logs into the one type hunting.
Other than that, the training is great.
Thanks for your input. The free instruction online now is RSA's first step to getting out video content that can help bring customers up to speed faster. I am sure more will be on the way.
Don't let the lack of training content regarding hunting "combined logs and packets" discourage you from trying "just to see what you find". When you find something in the "logs" there are usually clues as to where to go in "packets" and visa versa. I like to setup meta groups and profiles so that i can quickly switch between views to investigate and build queries before returning to a combined view. Meta groups and profiles also cut down the noise on your Investigator panel and speeds up your queries. Another item that many people miss is that the report engine can return results quicker in a complex query than the same query run in the UI. I find myself more and more building complex queries in the reporting engine and then "cutting and pasting" them into the UI query field.
Keep digging in. It's the best way to learn.
Art Costigan - RSA Professional Services
I guess what I'm talking about specifically is the surrounding the 'Hunting' course. It was focused only on Packet.
I'd be interested to see some techniques about how to hunt using logs, and packet and logs.
The hunting course really helped me in getting some ideas about finding the needle in the haystack, but I'd like to learn more about how to augment that with logs.