RSA NetWitness® Suite
Enablement Guide
__________________________________
Training and Certification
Sales, Sales Engineers, and Delivery Roles
1
Contents RSA NETWITNESS SALES ENABLEMENT .................................................................................................................................. 2
Sales Learning Path (Required) ........................................................................................................................................... 2
RSA NetWitness Sales Associate Required Courses ............................................................................................................ 3
RSA NetWitness Sales Associate Optional Courses ............................................................................................................ 4
RSA NETWITNESS SYSTEMS ENGINEER ENABLEMENT ............................................................................................................ 5
Systems Engineer Learning Path ......................................................................................................................................... 5
Systems Engineer Enablement Process .............................................................................................................................. 6
RSA NetWitness Systems Engineer Associate Courses ....................................................................................................... 7
RSA NetWitness Systems Engineer Professional Courses ................................................................................................... 8
RSA NetWitness Systems Engineer Master Courses ........................................................................................................... 9
RSA NETWITNESS SUITE DELIVERY SERVICES ENABLEMENT ................................................................................................ 10
Delivery Services Learning Path ........................................................................................................................................ 10
RSA NetWitness Suite Delivery Services Enablement Proces ........................................................................................... 11
RSA NetWitness Suite Delivery Services Associate ........................................................................................................... 13
RSA NetWitness Suite Delivery Services Professional ...................................................................................................... 16
RSA NetWitness Suite Delivery Services Master ............................................................................................................... 20
2
RSA NETWITNESS SALES ENABLEMENT
Sales Learning Path (Required)
Associate
Why Partner with RSA NetWitness
Business-Driven Security and RSA NetWitness Suite
Introduction to Evolved SIEM
Problems Solved by RSA NetWitness
RSA NetWitness Suite within the Security Stack
Identifying RSA NetWitness Suite Opportunities
RSA NetWitness Suite Customer Use Cases
RSA NetWitness Suite- Evolved SIEM Sales Scenario
Securing Data in the Cloud with RSA NetWitness Suite
RSA NetWitness Endpoint Detection & Response
RSA NetWitness Endpoint Sales Scenario
RSA NetWitness Endpoint Customer Story
Winning with RSA NetWitness Suite
RSA NetWitness Suite Pricing & Packaging
Solution Frequency Series #1
3
RSA NetWitness Sales Associate Required Courses
All required and optional training can be accessed on the Partner Portal
2018-2019: RSA NetWitness Sales Associate
SALES ASSOCIATE - REQUIRED
COURSE NAME DESCRIPTION DURATION (min:sec)
Why Partner with RSA
NetWitness
Learn how partnering with RSA is beneficial and how you can be successful selling RSA
NetWitness Suite.
2:36
Business-Driven Security and
RSA NetWitness Suite
Learn what Business-Driven Security and RSA NetWiness are, how RSA NetWitness Suite fits
in to the Business-Driven Security strategy, and
6:27
Introduction to Evolved SIEM In this short video you will learn about the evolution of SIEM, SIEM goals versus the reality of
SIEM, and some SIEM organization requirements.
2:58
Problems Solved by RSA
NetWitness
Laura MacDonald, an advisory systems engineer, will tell you about RSA NetWitness capabilities
and some RSA NetWitness success stories.
4:15
RSA NetWitness Suite within the
Security Stack
Here you will learn about some important customer pain points and how RSA NetWitness fits in. 5:31
Identifying RSA NetWitness Suite
Opportunities
In this video you will get a high level overview of the RSA NetWitness platform and learn how to
position RSA NetWitness to identify opportunities.
4:33
RSA NetWitness Suite Customer
Use Cases
Amy Blackshaw addresses five things to listen for in customer meetings to position a RSA
NetWitness opportunity.
4:27
RSA NetWitness Suite- Evolved
SIEM Sales Scenario
Learn about some benefits of evolved SIEM and some discovery questions you can use to find
an RSA NetWitness opportunity. =
5:09
Securing Data in the Cloud with
RSA NetWitness Suite
Mary Roark, a principal product marketing manager, talks about RSA NetWitness discovery
questions, benefits of RSA NetWitness Suite for the cloud, and shares a customer success story.
4:28
RSA NetWitness Endpoint
Detection & Response
David D’Aprile speaks to EPP and EDR differences and how RSA NetWitness Endpoint can be
deployed and detect.
4:23
RSA NetWitness Endpoint Sales
Scenario
In this video you’ll learn some benefits of RSA NetWitness Endpoint, some target customers,
and customers’ pains and challenges to look out for.
3:57
RSA NetWitness Endpoint
Customer Story
This video tells a customer success story. 1:53
Winning with RSA NetWitness
Suite
This video will tell you about some unique differentiators of RSA NetWitness, why taxonomy is
critical, and some advanced analytics.
3:33
RSA NetWitness Suite Pricing &
Packaging
Learn about the new pricing approach and licensing details of RSA NetWitness. 1:31
Solution Frequency Series #1 Joe answers some questions that he gets out in the field. 8:19
Estimated Total Time:
51:12 Minutes
4
RSA NetWitness Sales Associate Optional Courses
All required and optional training can be accessed on the Partner Portal
2018-2019: RSA NetWitness Sales Associate
SALES ASSOCIATE - OPTIONAL
COURSE NAME DESCRIPTION DURATION (min:sec)
RSA NetWitness Suite Customer
Testimonials
Listen to some customer testimonials from Adobe, Bershire Bank, and KMD. 4:46
Estimated Total Time: 4:46 Minutes
5
RSA NETWITNESS SYSTEMS ENGINEER ENABLEMENT
Systems Engineer Learning Path
Associate
RSA NetWitness Logs and Packets Overview
Business Driven Security Whiteboard
RSA NetWitness Packets Augmented SIEM Sales Scenario
RSA NetWitness Logs and Packets Architecture Whiteboard
RSA NetWitness EndPoint Architecture Whiteboard
RSA NetWitness Suite Foundations - EndPoint
RSA NetWitness Suite - EndPoint “Set the Hook” demo
Event Analysis Overview
Exploring the User Interface
Professional
RSA NetWitness Suite - Logs and Packets -Leveraging Core Service Features
RSA NetWitness Suite - Context Hub Re-Engineering
RSA NetWitness Suite - EndPoint Integration
RSA NetWitness Suite - Logs and Packets - Parsers Overview
RSA NetWitness Suite - EndPoint Analysis
RSA NetWitness Suite - EndPoint - YARA Rules Basics
RSA NetWitness Suite - Logs - Event Source Discovery
RSA NetWitness Suite - NetWitness EndPoint Use Case Demo
Master
RSA NetWitness Suite - Upgrading RSA NetWitness
RSA NetWitness Suite - Custom Demo Tips & Tricks
RSA NetWitness Suite - Logs and Packets - Hunting Pack Overview
RSA NetWitness Suite - Hunting APTs with RSA NetWitness
RSA NetWitness Suite - Logs and Packets - SSL Features
RSA NetWitness Suite - RSA NetWitness and the Cloud
RSA NetWitness Suite - Packets - Lua Parsers Overview
6
Systems Engineer Enablement Process
1. RSA NETWITNESS SYSTEMS ENGINEER ASSOCIATE COURSES
Complete Associate Level Required Training. This training will provide you with the foundational understanding of the Network
visibility and Endpoint Platforms and specifically the RSA NetWitness Logs and Packets/Endpoint Products. You will also be
exposed to the focus domains, selling and positioning the domains for your customers.
2. RSA NETWITNESS SYSTEMS ENGINEER PROFESSIONAL COURSES
Practice and prepare for NetWitness Logs and Packets/Endpoint configurations, Incident Management and Use Case
Scenarios. These areas are essential to understanding and delivering NetWitness Logs and Packets/Endpoint Solutions to
your customers.
3. RSA NETWITNESS SYSTEMS ENGINEER MASTER COURSES AND MENTORING
Once Steps 1 & 2 are successfully completed, RSA NetWitness Logs and Packets/Endpoint Practice resource(s) will be
available to review your ability to conduct full RSA NetWitness Logs and Packets/Endpoint Solution demos and pre-sales
based conversations. They will be able to provide mentoring. Mentoring can include, but is not limited ad hoc activities such
as SME support for specific solutions, SME support for technical issues, and overall project guidance.
7
RSA NetWitness Systems Engineer Associate Courses
All required and recommended training can be accessed on the Partner Portal
2018-2019 RSA NetWitness Systems Engineer ASSOCIATE
ASSOCIATE – REQUIRED
COURSE NAME DESCRIPTION DURATION
(Hours)
RSA NetWitness Suite - Logs and
Packets - Overview
This video demonstrates the re-designed RSA NetWitness Logs and Packets user interface. After
watching this video, an SE should be able to demonstrate the capabilities of RSA NetWitness Logs
and Packets.
:10
Business Driven Security
Whiteboard
This video will explain the RSA Business Driven Security strategy, and how to correlate it to
customer’s needs.
:15
RSA NetWitness Suite – Logs and
Packets – Augmented SIEM Sales
Scenario
This video will explain why implementing RSA NetWitness Packets on top of an existing log
centric SIEM is necessary in customer’s security operations centers. After viewing this video, an
SE should be able to explain how to leverage RSA NetWitness Packets to enrich and aid
investigations.
:05
RSA NetWitness Suite - Logs and
Packets Architecture Whiteboard
This video will provide a logical view of the RSA NetWitness Logs and Packets architecture. After
watching this video, an SE should be able to explain the architectural components of RSA
NetWitness Logs and Packets, what functions they perform, and how they communicate with
each other.
:10
RSA NetWitness Suite - Endpoint
Architecture Whiteboard
This video will provide a logical view of the RSA NetWitness Endpoint architecture. After watching
this video, SE’s should be able to explain what the architectural components of RSA NetWitness
Endpoint are, what functions they perform, and how they communicate with each other.
:05
RSA NetWitness Suite – Endpoint
Foundations
This video will provide a thorough overview of RSA NetWitness Endpoint. After viewing this
video, SE’s should be able to explain how RSA NetWitness Endpoint monitors network endpoints
and assesses risk. SE’s should also be able to navigate the RSA NetWitness Endpoint user
interface.
:20
RSA NetWitness Suite - Endpoint
“Set the Hook” demo
This video shows the basic demonstration of the RSA NetWitness Suite: Endpoint. An SE should
be able to do this demo very quickly for any initial customer visit.
:12
RSA NetWitness Suite – Logs and
Packets – Event Analysis Overview
This video will provide an overview of the newly re-designed event analysis capability of RSA
NetWitness Logs and Packets. After watching this video, an SE should be able to demonstrate
the functionality of event analysis including, analyzing raw packet data, identifying requests and
responses, and decoding selected text.
:06
RSA NetWitness Suite – Logs and
Packets – Exploring the User
Interface
This video series will provide a through overview of the RSA NetWitness Logs and Packets user
interface. After watching this video, an SE should be able to navigate RSA NetWitness Logs and
Packets and demonstrate the capability of the different views in RSA NetWitness Logs and
Packets.
:10
Estimated Total Time: 1.5 hours
8
RSA NetWitness Systems Engineer Professional Courses
All required and recommended training can be accessed on the Partner Portal
2018-2019 RSA NetWitness Systems Engineer PROFESSIONAL
PROFESSIONAL – REQUIRED
COURSE NAME DESCRIPTION DURATION
(Hours)
RSA NetWitness Suite – Logs and
Packets – Leveraging Core Service
Features
This video will describe the new features of the core services of RSA NetWitness Logs and Packets.
After viewing this video, SE’s should be able to describe each core service, the functions they
perform, and how new features can aid in threat detection and response.
:25
RSA NetWitness Suite – Logs and
Packets – Context Hub Re-
Engineering
This video will provide an overview of the RSA NetWitness Logs and Packets Context Hub. After
viewing this video, SE’s should be able to explain and demonstrate how to navigate to the Context
Hub, the different views of the Context Hub, and how the Context Hub can further enrich
investigations.
:05
RSA NetWitness Suite – Endpoint
Integration
This video will detail how to integrate RSA NetWitness Endpoint with an existing RSA NetWitness
Logs and Packets implementation. After watching this video, SE’s will be able to demonstrate the
integration and how the two RSA NetWitness products work together to enrich investigations.
:10
RSA NetWitness Suite – Logs and
Packets – Parsers Overview
This video will show the RSA NetWitness Logs and Packets log data flow, describe the role of
parsers in RSA NetWitness Logs and Packets and the process used to create and deploy log
parsers.
:15
RSA NetWitness Suite – Endpoint
Analysis
This video will show how to schedule scans using machine groups, interpret scan results based on
Module and Machine context and consider advanced threats employing key Windows executables
and processes.
:30
RSA NetWitness Suite – Endpoint-
Yara Rules Overview
This video explains YARA rules. Their purpose and mechanics. Then you can see how to check
status, create and modify rules. And learn about Yara Rule Sources and extracting signatures from
Trojans.
:05
RSA NetWitness Suite – Logs and
Packets – Event Source Discovery
This video will provide an overview of the event source discovery capabilities of RSA NetWitness
Logs. After viewing this video, an SE should be able to explain how event sources are defined in
RSA NetWitness.
:05
Estimated Total Time: 1.5 hours
9
RSA NetWitness Systems Engineer Master Courses
All required and recommended training can be accessed on the Partner Portal
2018-2019 RSA Witness Systems Engineer MASTER
MASTER – REQUIRED
COURSE NAME DESCRIPTION DURATION
(Hours)
RSA NetWitness Suite – Upgrading
RSA NetWitness
This video will demonstrate the proper way of upgrading the RSA NetWitness Suite to newer
versions. After viewing this video, SE’s should be able to explain how to upgrade to newer
versions, demonstrate the upgrade process, and offer best practices to customers wanting to
upgrade.
:30
RSA NetWitness Suite – Preparing
for a Custom Demonstration This video will provide helpful tips when preparing for a custom demonstration for a customer.
:05
RSA NetWitness Suite – Logs and
Packets – Hunting Pack Overview
This video will review and demonstrate the power of the RSA NetWitness Hunting Pack,
available for download from RSA Live. After watching this video, SE’s should be able to explain
the methodology behind hunting for threats, and demonstrate the effectiveness of the RSA
NetWitness Hunting Pack.
:20
RSA NetWitness Suite – Hunting
APTs with the RSA NetWitness Suite
This video will replicate a cyber-attack from beginning to end, and demonstrate how the RSA
NetWitness Suite enables threat detection and response.
:20
RSA NetWitness Suite – RSA
NetWitness Suite and the Cloud
This video will review how the RSA NetWitness Suite can help identify threats in customer’s
cloud deployments. After viewing this video, SE’s will be able to explain how the RSA
NetWitness Suite ingests logs and packets from various cloud deployments in a customer’s
environment.
:10
RSA NetWitness Suite – Logs and
Packets – SSL Features
This video will review how the RSA NetWitness Suite handles the blind spot encrypted traffic
causes in customer’s environments. After watching this video, SE’s will be able to demonstrate
how RSA NetWitness can decrypt and enrich incoming traffic.
:10
RSA NetWitness Suite Packets – Lua
Parsers Overview
This video will review Lua Parsers in depth. After viewing this video, SE’s will be able to explain
how Lua Parsers work, their primary function, and begin to demonstrate the creation of custom
Lua Parsers.
:10
Estimated Total Time: 1.5 hours
10
RSA NETWITNESS SUITE DELIVERY SERVICES ENABLEMENT
Delivery Services Learning Path
Associate
NetWitness Logs and Packets Introduction
Delivery Methodology
Foundations
Core Administration
Incident Management
Intro to ESA
Installation and Configuration
Troubleshooting Methodology Framework
NetWitness Logs and Packets Introduction to Troubleshooting
Endpoint Foundations
NetWitness EndpointAdministration
Selling and Scoping NetWitness Services
Endpoint Fundamentals
Endpoint Installation
Busines-Driven Security
How to Sell NetWitness Training
SecOps Manager Essentials
SecOps Manager Installation
Professional
NetWitness Logs and Packets Event Sources
NetWitness Logs and Packets Log Parsers Overview
NetWitness Logs and Packets ESA EPL Rules
NetWitness Logs and Packets Malware Analysis
NetWitness Logs and Packets Hunting
NetWitness Logs and Packets 10G Interface Installation
NetWitness Logs and Packets Analysis
NetWitness Logs and Packets Troubleshoooting User Roles
NetWitness Context Hub Deep Dive and Troubleshooting Tips
NetWitness Logs and Packets Troubleshooting ESA EPL Rules
NetWitness Logs and Packets Troubleshooting the Platform
NetWitness Logs and Packets Troubleshooting Upgrades
NetWitness Endpoint Analysis
NetWitness Endpoint Hunting
NetWitness Endpoint Troubleshooting
RSA SecOps Manager Implementation
Netwitness Logs and Packet Tuning and Optimization
Netwitness Endpoint Writing Yara Rules
Master
NetWitness Logs and Packets WinRM Configuration and
Troubleshooting
Hunting Workshop for Analysts
NeWitness Logs and Packets LUA Parsers
NetWitness Logs and Packets Integration with RSA NetWitness
Endpoint
NetWitness Logs and Packets REST API
NetWitness Packets and Splunk Integration
Netwitness LUA Parsers for Logs
NetWitness Logs and Packets Tuning and Optoimization
On-Demand Lab
On-Demand Classroom
On-Demand Learning
11
RSA NetWitness Suite Delivery Services Enablement Process
Remove the Master Certification from the slide.
1. Complete the RSA NetWitness Associate REQUIRED training
See information that follows for a complete list of all Associate- level training. Note that Optional training is highly recommended as it
will address new product releases and other topics that are important for successful delivery services engagements.
2. Pass the RSA NetWitness Endpoint Certified Associate Exam
The exam, which is available through Pearson VUE Testing Centers, will test on the required training in the Associate path. The time
allocated to complete this exam is 90 minutes. Once you pass this exam, you will attain the RSA NetWitness Endpoint Certified
Associate certification. Refer to the “Certification” section of this guide for additional information on how to register and complete the
RSA NetWitness Endpoint Certified Associate exam. You have 2 attempts to attain a score of 70 or higher. If you do not pass the
Associate exam, next steps will be determined by your Channel Manager.
3. Pass the RSA NetWitness Logs and Packets Certified Associate Exam
The exam, which is available through Pearson VUE Testing Centers, will test on the required training in the Associate path. The time
allocated to complete this exam is 90 minutes. Once you pass this exam, you will attain the RSA NetWitness Logs and Packets
Certified Associate certification. Refer to the “Certification” section of this guide for additional information on how to register and
complete the RSA NetWitness Logs and Packets Certified Associate exam. You have 2 attempts to attain a score of 70 or higher. If
you do not pass the Associate exam, next steps will be determined by your Channel Manager.
4. Complete the RSA NetWitness Professional REQUIRED training
See information that follows for a complete list of all Professional- level training. Note that Optional training is highly recommended as
it will address new product releases and other topics that are important for successful delivery services engagements.
Master
12
5. Pass the RSA NetWitness Endpoint Certified Professional Exam
The exam, which is available through Pearson VUE Testing Centers, will test on the required training in the Professional path. The
time allocated to complete this exam is 90 minutes. Once you pass this exam, you will attain the RSA NetWitness Endpoint Certified
Professional certification. Refer to the “Certification” section of this guide for additional information on how to register and complete
the RSA NetWitness Endpoint Certified Professional exam. You have 2 attempts to attain a score of 70 or higher. If you do not pass
the Professional exam, next steps will be determined by your Channel Manager. Note that you cannot complete the RSA NetWitness
Endpoint Certified Professional exam without successfully passing the RSA NetWitness Endpoint Certified Associate exam.
6. Pass the RSA NetWitness Logs and Packets Certified Professional Exam
The exam, which is available through Pearson VUE Testing Centers, will test on the required training in the Professional path. The
time allocated to complete this exam is 90 minutes. Once you pass this exam, you will attain the RSA NetWitness Logs and Packets
Certified Professional certification. Refer to the “Certification” section of this guide for additional information on how to register and
complete the RSA NetWitness Logs and Packets Certified Professional exam. You have 2 attempts to attain a score of 70 or higher.
If you do not pass the Professional exam, next steps will be determined by your Channel Manager. Note that you cannot complete
the RSA NetWitness Logs and Packets Certified Professional exam without successfully passing the RSA NetWitness Logs and
Packets Certified Associate exam.
7. Complete the RSA NetWitness Master REQUIRED training
See information that follows for a complete list of all Professional- level training. Note that Optional training is highly recommended as
it will address new product releases and other topics that are important for successful delivery services engagements.
8. Participate in RSA NetWitness Shadow/Reverse Shadow with RSA NetWitness Professional Services
Participate in Shadow/Reverse Shadow with the RSA Delivery Team for 6 weeks. Delivery includes working side-by-side
with RSA Practice members to deliver customer projects. Reverse shadowing will include all phases of the delivery
methodology with a strong focus on achieving a positive impact on customer satisfaction.
9. Successfully complete the Performance Testing by RSA Archer Professional Services
After successfully demonstrating capability to delivery Archer Services in an effective manner while also achieving a high-level of
customer satisfaction, final evaluation will be administered. Upon a successful evaluation, you will receive accreditation
to perform RSA NetWitness Delivery Services.
13
RSA NetWitness Suite Delivery Services Associate All required and recommended training can be accessed on the Partner Portal
2018- 2019 RSA NetWitness Delivery Services Associate
ASSOCIATE – REQUIRED
COURSE NAME
DESCRIPTION
DURATION (hours)
RSA NetWitness Logs and
Packets Introduction
This on-demand learning provides an introduction to the RSA NetWitness Logs and Packets product,
along with the components and different appliances that make up an RSA NetWitness Logs and
Packets implementation. You will first familiarize yourself with the RSA NetWitness Logs and Packets
product, its functionality, and different customer implementations. You will then review the architecture
and various components of RSA NetWitness Logs and Packets. Finally, you will examine the way data
flows throughout an RSA NetWitness Logs and Packets implementation.
1
RSA Service Delivery
Methodology Overview
A self-paced eLearning course is primarily designed for new hires, at both Consultant and Project
Management level. It is intended to provide an overview of the RSA PS Delivery Methodology,
including the Service Delivery Framework.
.5
RSA NetWitness Logs and
Packets Foundations
Provides a foundational overview of the core components of RSA NetWitness Logs and Packets.
Students gain insight into the core concepts, uses, functions and features of RSA NetWitness Logs
and Packets and also gain practical experience by performing a series of hands-on labs.
24
RSA NetWitness Logs and
Packets Core Administration
Provides an overview of essential administrative tasks that are performed for RSA NetWitness Logs
and Packets. Students gain insight into Configuring Devices, Monitoring and User Management within
RSA NetWitness Logs and Packets and also gain practical experience by performing a series of hands-
on labs.
16
RSA NetWitness Logs and
Packets Incident Management
Covers the roles and processes within a typical Security Operations Center (SOC), including the
typical responsibilities of a Level 1, 2, and 3 Analyst, and the process for triaging and escalating
incidents. Through a series of video demonstrations, you will experience a day in the life of the analysts
using the Incident Management module in RSA NetWitness Logs and Packets. You will follow an
incident from discovery through close and examine how analysts at varying levels triage and
investigate incidents.
1.5
RSA NetWitness Logs and
Packets Introduction to ESA
Presents a recommended approach to threat analysis and identifies the role of Event Stream Analysis
(ESA) in detecting threats. It provides an overview of ESA features and functions, provides
recommendations to help you determine when to use ESA rules and covers configuration
considerations.
.75
RSA NetWitness Logs and
Packets Installation and
Configuration
Walks you through the process of installing RSA NetWitness Logs and Packets. Through a series of
videos, you will first review the hardware components of a NetWitness Logs and Packets
implementation. You will then walk through how to install the various services, including: the Server,
Decoders, the Concentrator, and Broker. You will then be shown how to configure the services and
connect them together to allow data to flow through the system. After confirming data is flowing through
the system, you will review the steps to check the health and wellness of the system. Lab exercises
provide you with the ability to practice what you have learned. To maximize the value of your learning
experience, this course also includes access to RSA University’s virtual environment.
2
14
RSA Troubleshooting
Methodology Framework
Provides a general overview of the RSA Troubleshooting Methodology Framework that MSSP
Consultants and CS Learners can apply and follow to ensure better customer experiences. The course
is intended to be an ‘Introduction/Prerequisite’ before learners move on to Troubleshooting
Methodology Framework specific to RSA NetWitness Logs and Packets and RSA NetWitness
Endpoint.
.5
RSA NetWitness Logs and
Packets Introduction to
Troubleshooting
Improves your understanding of how to troubleshoot RSA NetWitness Logs and Packets 10.4.
Through a series of interactions and “just-show-me” video demonstrations, this course will
answer common questions about troubleshooting RSA’s NetWitness Logs and Packets and provide
you with the concepts needed to begin troubleshooting on your own. The content is specific to
NetWitness Logs and Packets version 10.4. However, there is a lot of commonality between versions
and some of the things that you learn may be used to troubleshoot older or newer versions of
NetWitness Logs and Packets. Please keep this in mind as you proceed because there may well be
variances based on the version
2.5
RSA NetWitness Endpoint
Foundations
Provides a general introduction to RSA NetWitness Endpoint analysis. Students will participate in both
lecture and hands-on experience using the RSA NetWitness Endpoint Analytics tool. The course
consists of about 50% hands-on lab work, using a virtual lab environment.
8
RSA NetWitness Endpoint
Administration
This training is intended for anyone responsible for maintaining a deployment of RSA NetWitness
Endpoint. The eLearning and on-demand lab provide instruction and practice in the core
responsibilities of any RSA NetWitness Endpoint Administrator, including management of scans,
notifications, and global parameters. Additional topics include machine and user group creation and
assignment, endpoint agent roll-outs, performance and usability evaluation, endpoint memory capture
for troubleshooting, and upgrade enablement. The lab exercises focus on practicing these common
real-world tasks. Approximately 60 minutes of coursework with 30 minutes lab exercises in virtual
environment.
1.5
Selling & Scoping NetWitness
Suite Services
Provides a comprehensive overview for Selling and Scoping NetWitness Suite (formally) ASOC
Solutions, both from a Professional Services (PS) and an Ed Services (ES) perspective. The training
content takes a modular approach.
1
RSA NetWitness Endpoint
Fundamentals
Provides a general introduction to RSA NetWitness Endpoint analysis. Students will participate in both
lecture and hands-on experience using the RSA NetWitness Endpoint Analytics tool. The course
consists of about 50% hands-on lab work, using a virtual lab environment.
1.25
RSA NetWitness Endpoint
Installation
Walks through the prerequisites and tasks associated with planning and executing an RSA NetWitness
Endpoint installation. Topics include deployment architecture options, best practices for avoiding
common installation pitfalls, functional tests to ensure the installation was successful, and video
demonstrations to reinforce the material.
4
RSA Business Driven Security RSA Archer Product Marketing Manager delivers a video discussing how RSA can help
organizations deliver what we call Business-Driven Security. With its new Business-Driven Security
architecture, RSA aims to provide organizations the tools needed to link security information to
business context and protect the most sensitive assets. The RSA Business-Driven Security
solutions focus on threat detection and response, consumer fraud protection, identity and access
assurance, and business risk management.
.25
: Estimated Total Time: 65 hours
15
2018 – 2019 RSA NetWitness Suite Delivery Services Associate
ASSOCIATE – OPTIONAL
COURSE NAME
DESCRIPTION
DURATION (hours)
RSA SecOps Manager
Essentials
Provides practitioner-level training on the business need for managing security operations and the
business impact of the RSA Archer Security Operations Management (SecOps) solution and its basic
functionality. Content provides a basic understanding of the challenges of managing IT security
operations, and describes how SecOps is positioned to address those challenges. Students will learn
about the basic functionality of SecOps – from managing a Security Operations Center (SOC) to managing
incident response and data-breach response – and will learn how the SecOps solution enables
organizations to manage the entire lifecycle with integrated business context and best practices aligned
with industry standards. This course introduces the key personas involved in security operations
management, as well as presenting typical security operations management workflows and describes how
various roles have full visibility into the entire process lifecycle with focused workflows, dashboards, and
reports.
1.5
RSA SecOps Manager
Installation
Is intended for any Consultants responsible for installing the RSA NetWitness SecOps Manager
Installation Solution. This course addresses fundamental concepts, knowledge, and tasks required to
install and perform base-level configuration of SecOps to an initial state. Content include integration with
required middleware, and configuring integration between SecOps and RSA Security Analytics.
5
Estimated Total Time: 2 Hours
16
RSA NetWitness Suite Delivery Services Professional All required and recommended training can be accessed on the Partner Portal
2018- 2019 RSA NetWitness Delivery Services Professional
PROFESSIONAL – REQUIRED
COURSE NAME
DESCRIPTION
DURATION (hours)
RSA NetWitness Logs and
Packets Event Sources
Provides an overview of how RSA NetWitness Logs and Packets log collection is configured and
performed for a variety of event source types such as Windows, File Reader, ODBC, Check Point
Firewall, VMware, SDEE, SNMP and Netflow.
2
RSA NetWitness Logs Parser
Overview
Provides students with the knowledge and skills to create and deploy log parsers for use within RSA
NetWitness Logs. Students will be introduced to reviewing the metadata framework, creating log parsers
using the RSA Event Source Integrator (ESI) tool, and deploying log parsers within RSA
NetWitness Logs.
2
RSA NetWitness Logs and
Packets ESA EPL Rules
Identifies a best practice strategy for creating EPL rules as well as for learning the EPL rule syntax. It
uses examples and use cases to illustrate EPL rule concepts, such as streams, constructs, data
windows and time constraints.
1.5
RSA NetWitness Packets
Malware Analysis
Provides students with training on the Malware Analysis module of RSA NetWitness Packets. Topics
include an overview of the Malware Analysis module, configuration steps, and conducting an
investigation. Lab exercises provide students with the ability to practice what they have learned. To
maximize the value of your learning experience, this course also includes access to RSA University’s
virtual environment.
4
RSA NetWitness Logs and
Packets Hunting
Presents methods and techniques prescribed by security experts for quickly locating anomalies on the
network and for enhancing the data set to highlight suspicious activity. It provides recommended
strategies and processes for searching for threats, along with demonstrations of those techniques
against a laboratory dataset.
1.5
RSA Netwitness Logs and
Packets 10G Interface
Installation
Demonstrates the installation and configuration processes for a 10Gb capture interface card on the RSA
NetWitness Packet Decoder. The RSA NetWitness Packet Decoder can capture data at very high
speeds with the addition of a 10Gb network interface card. This on-demand learning describes the card
installation options, demonstrates the physical installation process, and then demonstrates the software
configuration required to capture data at 10Gb speeds..
1.5
RSA NetWitness Logs and
Packets Analysis
Provides hands-on experience using the RSA NetWitness Logs and Packets tool to identify, investigate
and remediate network-based security breaches on your enterprise network. The course consists of
about 75% hands-on lab work, following practical use cases from the identification and investigation
stages through event reconstruction, damage assessment, and remediation.
16
RSA NetWitness Logs and
Packets Troubleshooting Use
Roles
This on-demand learning focuses on the RSA NetWitness trust model and how users, roles, and
permissions control user access to the RSA NetWitness Logs and Packets environment. Use cases will
be provided to demonstrate incorrect role configuration, symptoms, and fixes to correct the role.
.5
RSA NetWitness Context Hub
Deep Dive and
Troubleshooting Tips
Presents an overview of the RSA NetWitness Logs and Packets Context Hub service. Topics include
how to properly configure it for various data sources, how it works under the hood, and tips and tricks
for troubleshooting. The concept behind this eLearning is to educate students on the proper way to work
with the Context Hub, thus eliminating the need to do a lot of troubleshooting in the future. This course
is primarily intended for NetWitness Administrators but will provide insight to Analysts as well.
3
17
COURSE NAME
DESCRIPTION
DURATION (hours)
RSA NetWitness Logs and
Packets Troubleshooting ESA
EPL Rules
Improves your understanding of how to troubleshoot RSA Netwitness Logs and Packets Event Stream
Analysis (ESA) rules. While troubleshooting ESA in general is an important skill, the #1 issue in the field
is troubleshooting ESA rules in particular. With "just show me" videos, this course addresses the most
common reasons that rules don't work. It first discusses ways to determine whether or not it is a "rule
issue." It outlines the most common “rule issues" and provides approaches to resolving them. The
course continues with tips, tricks, and tools for troubleshooting rules and general strategies for working
with rules. It also will help you avoid some common "Gotchas." The content is designed for
troubleshooting the 10.x versions of the product.
1.5
RSA NetWitness Logs and
Packets Troubleshooting the
Platform
Improves your understanding of troubleshooting the RSA Security Analytics platform found in 10.4 and
above. Through a series of “just-show-me” video demonstrations, this course will address the most
common platform issues and will provide you with the tools you need to better isolate issues. The
content is specific to Security Analytics version 10.4. However, there is a lot of commonality between
versions and some of the things that you learn may be used to troubleshoot older or newer versions of
Security Analytics. Please keep this in mind as you proceed because there may well be variances based
on the version. The course begins by discussing how to reduce Puppet issues and then spells out
specific commands that you can use to validate when things are running correctly and narrow down
issues with Puppet, MCollective, RabbitMQ, and Collectd.
2.5
RSA NetWitness Logs and
Packets Troubleshooting
Upgrades
Describes how to upgrade RSA NetWitness Logs and Packets software. In the process of demonstrating
upgrades, troubleshooting techniques and possible upgrade issues are identified.
1
RSA NetWitness Endpoint
Analysis
Provides core essentials training for security analysts employing RSA NetWitness Endpoint. Students
participate in an interactive lecture format and put into practice what they learn in instructor-assisted
hands-on lab work in a simulated deployment.
16
RSA NetWitness Endpoint
Hunting
Presents techniques prescribed by security analysts for employing RSA NetWitness Endpoint to locate
sophisticated targeted attacks. Finding known malware and obviously malicious behavior is easy with
this tool’s Instant Indicators of Compromise, but sophisticated intrusions can be far more challenging.
Indicators of specific exploits and threats, such as common keylogging techniques, are detailed.
2
RSA NetWitness Endpoint
Troubleshooting
Examines common troubleshooting issues customers face in RSA NetWitness Endpoint
implementations. You will first be presented with a common troubleshooting methodology framework in
the context of RSA NetWitness Endpoint. Then, you will examine a number of common customer use
cases where you will identify the root cause of the issue, and remediate the problem.
2
RSA SecOps Manager
Implementation
Addresses the implementation and operationalization of the RSA NetWitness SecOps Manager
Implementation. The course focuses on the primary tasks to implement and integrate SecOps with
Enterprise Management and Security Analytics into a security solution. Course content includes an
overview of how SecOps integration works, the importance of requirements identified in a statement
of work and ACD design document, implementation roles and responsibilities, and the primary tasks
to implement SecOps. The course includes a series of videos demonstrating the key implementation
tasks. Lab exercises provide students with the ability to practice what they have learned. To
maximize the value of your learning experience, this course also includes access to RSA University’s
virtual environment.
4
18
RSA NetWitness Logs and
Packets Tuning and
Optimization
Covers RSA NetWitness Logs and Packets performance tuning and optimization topics, allowing
analysts to improve performance through query optimization and efficient rule syntax. Students will
also gain administrative skills to optimize performance through proper device configuration, database
tuning, creating groups for aggregation and monitoring Health and Wellness alerts.
4
Estimated Total Time: 65 Hours
19
PROFESSIONAL OPTIONAL
COURSE NAME
DESCRIPTION
DURATION (hours)
RSA NetWitness Endpoint
Writing Yara Rules
Provides an introduction to writing rules for RSA NetWitness Endpoint using YARA. Students will gain
familiarity with the YARA tool's syntax and functionality to write rules that optimize flexibility and
minimize false positives.
.75
Estimated Total Time: .75 Hours
20
RSA NetWitness Suite Delivery Services Master All required and recommended training can be accessed on the Partner Portal
2018- 2019 RSA NetWitness Delivery Services Master
MASTER – REQUIRED
COURSE NAME
DESCRIPTION
DURATION (hours)
RSA NetWitness Logs and Packets
WinRM Configuration and
Troubleshooting
Provides students with training on a tool to assist in both configuring and
troubleshooting WinRM event sources for RSA NetWitness Logs using an automated
script. Students will also receive an overview of the Kerberos authentication protocol.
2
RSA Hunting Workshop for Analysts Presents students with the opportunity to perform a realistic forensic security analysis
in a hands-on environment working with RSA NetWitness Logs and Packets and
RSA NetWitness Endpoint. Students will be provided with a complex, multipart
cyberattack use case to work through, and will be tasked with finding key evidence
about the attack, identifying targeted and compromised systems, reconstructing the
sequence of events, and proposing a remediation plan. Students will be given a
minimum amount of introductory information, and will conduct their analyses using
their knowledge of networking protocols, endpoint operating systems, and common
cyberattack vectors. An instructor will be present to guide students individually as
they work their way through the data set.
16
RSA NetWitness Logs and Packets LUA
Parsers
Will serve as an introduction to RSA NetWitness LUA Packet Parsers. It is suitable
for the RSA NetWitness Analysts and Administrators interested in better
understanding how packet parsers work and becoming familiar with the process of
writing their own custom packet parser.
1.5
RSA NetWitness Logs and Packets
Integration with NetWitness Endpoint
Describes how to integrate RSA NetWitness Logs and Packets and RSA NetWitness
Endpoint to perform investigations using both tools. It covers various forms of
integration including syslog, Live feeds, recurring feed and Incident Management
(message bus).
1
RSA NetWitness Using the REST API Will explore the different ways to access key metrics, controls, and metadata within
RSA NetWitness Logs and Packets. It begins by reviewing how RSA has
implemented the REST API and reasons for its use. Then, through a series of
demonstrations, it shows Administrators, Developers, and security team members
how to "get," "set," and use data from the back-end of the RSA NetWitness product in
a programmatic fashion. Different access methods such as use of the NetWitness
GUI, the REST GUI, CLI use of curl, and automated uses within tutorial scripts are
presented and compared. The course even provides a sample Python script that you
can extend for your own use. Lab exercises walk you through "real life" examples of
REST API's use and give you the foundations to begin your own research and use of
this powerful tool.
3
RSA NetWitness Packets and Splunk
Integration
Provides students with the knowledge and skills to configure Splunk® Enterprise and
RSA NetWitness Packets to view security logs in Splunk, view Splunk metatdata in
RSA NetWitness Packets, link to Splunk data through a context menu, send logs to
Splunk via an ESA alert, and send Reporting Engine logs to Splunk.
1.5
Estimated Total Time: 25 Hours
21
RSA NetWitness Suite Delivery Services Master All required and recommended training can be accessed on the Partner Portal
2018- 2019 RSA NetWitness Delivery Services Master
MASTER – OPTIONAL
COURSE NAME
DESCRIPTION
DURATION (hours)
RSA NetWitness LUA Parsers for Logs Will provide students with an overview of creating custom log parsers for RSA
NetWitness using Lua. Students will cover topics such as when to use a custom
parsers, the components of a Lua parser, how to create the Lua parser for logs and
basic troubleshooting.
1
RSA NetWitness Packets and Splunk
Integration
Provides students with the knowledge and skills to configure Splunk® Enterprise and
RSA NetWitness Packets to view security logs in Splunk, view Splunk metatdata in
RSA NetWitness Packets, link to Splunk data through a context menu, send logs to
Splunk via an ESA alert, and send Reporting Engine logs to Splunk.
1.5
RSA NetWitness Logs and Packets
Tuning and Optimization
Covers RSA NetWitness Logs and Packets performance tuning and optimization
topics, allowing analysts to improve performance through query optimization and
efficient rule syntax. Students will also gain administrative skills to optimize
performance through proper device configuration, database tuning, creating groups
for aggregation and monitoring Health and Wellness alerts.
4
Estimated Total Time: 6.5 Hours