In this course, you will focus on administration of the RSA NetWitness product. You will learn to install and configure RSA NetWitness components, including a Log Decoder, managing users, and creating filters and rules. You will also cover integration with other products, monitoring capabilities, and troubleshooting of common issues.

What You'll Learn

• RSA NetWitness component and data flows
• Install RSA NetWitness software
• Configure RSA NetWitness components
• Set up packet and log capture
• Set up LIVE feeds
• Manage users
• Create rules and filters
• Integrate NetWitness with other products
• Monitor RSA NetWitness
• Troubleshoot RSA NetWitness

Who Needs to Attend

RSA NetWitness administrators

Prerequisites

Familiarity with networking fundamentals and general information security concepts

Follow-On Courses

There are no follow-ons for this course.

Course Outline

1. RSA NetWitness

• RSA NetWitness Architecture
• RSA NetWitness Components
• Data Flow between Components

2. Appliance Setup and Software Installation

• RSA NetWitness Appliance Setup
• RSA NetWitness Software Components

3. Configuring RSA NetWitness

• Managing Services
• Configuring and Managing Devices
• Setting Up Data Collection of Packets and Logs
• Viewing Packets and Logs in Investigator

4. RSA NetWitness Live

• Configuring NetWitness Live Subscriptions
• Managing a Live Feed

5. Managing Users

• User Management Interface
• User Groups and Roles
• Creating Users and Groups
• Viewing Groups and Roles
• Configuring External Authentication
• Editing User Settings
• Informer Roles
• Creating Informer Users

6. Creating Rules and Filters

• Rules, Filters, Feeds and Parsers
• Decoder Filters and Informer Rules
• Best Practices for Creating Filters and Rules
• Creating Decoder Filters
• Creating Informer Rules and Alerts
• Creating a Feed
• Pushing a Rule to the Decoder
• Reprocessing a Collection

7. Integrating RSA NetWitness with Other Products

• NetWitness SIEM Link
• Setting Up Informer to Communicate with SIEM Products
• Connecting to HP ArcSight
• RSA enVision Connector

8. Monitoring RSA NetWitness

• Tools Used to Monitor RSA NetWitness Components
• Configuring SNMP
• Monitoring NetWitness Components for Performance and Efficiency
• Tips and Best Practices for Tuning the Decoder, Concentrator, Broker, and Informer
• Methods for Viewing and Modifying Logs

9. Troubleshooting RSA NetWitness

• Common Problems
• Investigating and Resolving Common ProblemsTroubleshooting Tools

Labs

In addition to lecture and demonstrations, this course includes hands-on exercises which are designed to give you practical experience.