Respond: Reviewing Alerts

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 15, 2017
Version 6Show Document
  • View in full screen mode
  

NetWitness Suite enables you to view a consolidated list of threat alerts generated from multiple sources in one location. You can find these alerts in the RESPOND > Alerts view. The source of the alerts can be ESA correlation rules, ESA Analytics, NetWitness Endpoint, Malware Analysis, Reporting Engine, as well as many others. You can see the original source of the alerts, the alert severity, and additional alert details.

Note: ESA correlation rule alerts can ONLY be found in the RESPOND > Alerts view.

To better manage a large number of alerts, you have the ability to filter the alerts list based criteria that you specify, such as severity, time range, and alert source. For example, you may want to filter the alerts to only show those alerts with a severity between 90 and 100 that are not already part of an incident. You can then select a group of alerts to create an incident or add to an existing incident.

You can perform the following procedures to review and manage alerts:

View Alerts

In the Alerts List view you can browse through various alerts from multiple sources, filter them, and group them to create incidents. This procedure shows you how to access the alerts list.

  1. Go to RESPOND > Alerts.
    The Alerts List view displays a list of all NetWitness Suite alerts.
    Alerts List view
  2. Scroll through the alerts list, which shows basic information about each alert as described in the following table.
                                       
Column

Description

CREATEDDisplays the date and time when the alert was recorded in the source system.
SEVERITYDisplays the level of severity of the alert. The values are from 1 through 100.
NAMEDisplays a basic description of the alert.
SOURCE Displays the original source of the alert. The source of the alerts can be NetWitness Endpoint, Malware Analysis, Event Stream Analysis (ESA Correlation Rules), ESA Analytics, Reporting Engine, Web Threat Detection, and many others.
# EVENTSIndicates the number of events contained within an alert. This varies depending on the source of the alert. For example, NetWitness Endpoint and Malware Analysis alerts always have one Event. For certain types of alerts, a high number of events may mean that the alert is more risky.
HOST SUMMARYDisplays details of the host like the host name from where the alert was triggered. The details may include information about the source and destination hosts in an Alert. Some alerts may describe events across more than one host .
INCIDENT IDShows the Incident ID of the alert. If there is no incident ID, the alert does not belong to any incident and you can create an incident to include this alert or the alert can be added to an existing incident.

At the bottom of the list, you can see the number of alerts on the current page and the total number of alerts. For example: Showing 377 out of 377 items

Filter the Alerts List

The number of alerts in the Alerts List can be very large, making it difficult to locate particular alerts. The Filter enables you to view the alerts you want to see, for example, alerts from a particular source, alerts of a particular severity, alerts that are not part of an incident, and so on.

  1. Go to RESPOND > Alerts.
    The Filters panel appears to the left of the Alerts list. If you do not see the Filters panel, in the Alerts List view toolbar, click Filter icon, which opens the Filters panel.
    Alerts List Filter panel
  2. In the Filters panel, select one or more options to filter the alerts list:
    • TIME RANGE: You can select a specific time period from the Time Range drop-down list. The time range is based on the date that the alerts were received. For example, if you select Last Hour, you will see alerts that were received within the last 60 minutes.
    • CUSTOM DATE RANGE: You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of CUSTOM DATE RANGE to view the Start Date and End Date fields. Select the dates and times from the calendar.
      Custom Date Range option in the filter
    • TYPE: Select the type of events in the alert to view, for example, logs, network sessions, and so on.
    • SOURCE: Select one or more sources to view alerts triggered by the selected sources. For example, to view NetWitness Endpoint alerts only, select Endpoint as the source.
    • SEVERITY: Select the the level of severity of the alerts to view. The values are from 1 through 100. For example, to concentrate on the highest severity alerts first, you may want to view only those alerts with a severity from 90 to 100.
    • PART OF INCIDENT:To view only alerts that are not part of an incident, select No. To view only alerts that are part of an incident, select Yes. For example, when you are ready to create an incident from a group of alerts, you can select No to view only those alerts that are not currently part of an incident.
    • ALERT NAMES: Select the name of the alert to view. You can use this filter to search for all alerts generated by a specific rule or source, for example, Malicious IP - Reporting Engine.

    The Alerts List shows a list of alerts that meet your selection criteria. You can see the number of items in your filtered list at the bottom of the alerts list.
    For example: Showing 30 out of 30 items

  3. If you want to close the Filters panel, click X. Your filters remain in place until you remove them.

Remove My Filters from the Alerts List

NetWitness Suite remembers your filter selections in the Alerts List view. You can remove your filter selections when you no longer need them. For example, if you are not seeing the number of alerts that you expect to see or you want to view all of the alerts in your alerts list, you can reset your filters.

  1. Go to RESPOND > Alerts.
    The Filters panel appears to the left of the alerts list. If you do not see the Filters panel, in the Alerts List view toolbar, click Filter icon, which opens the Filters panel.
  2. At the bottom of the Filters panel, click Reset Filters.

View Alert Summary Information

In addition to viewing basic information about an alert, you can also view raw alert metadata in the Overview panel.

  1. In the Alerts list, click the alert that you want to view.
    The Alert Overview panel appears to the right of the Alerts list.
    Alerrts View showing Overview panel
  2. In the Raw Alert section, you can scroll to view the raw alert metadata.
    Alert Overview panel

View Event Details for an Alert

After you review the general information about the alert in the Alerts List view, you can go to the Alert Details view for more detailed information to determine the action required. An alert contains one or more events. In the Alert Details view, you can drill down into an alert to get additional event details and further investigate the alert. The following figure shows an example of the Alert Details view.

Alert Details view showing the Events panel

 

The Overview panel on the left has the same information for an alert as the Overview panel in the Alerts List view.

The Events panel on the right shows information about the events in the alert, such as event time, source IP, destination IP, detector IP, source user, destination user, and file information about the events. The amount of information listed depends on the event type.

There are two types of events:

  • A transaction between two machines (a Source and a Destination)
  • An anomaly detected on a single machine (a Detector)

Some events will only have a Detector. For example, NetWitness Endpoint finds malware on your machine. Other events will have a Source and Destination. For example, packet data shows communication between your machine and a Command and Control (C2) domain.

You can drill further into an event to get detailed data about the event.

To View the Event Details for an Alert:

  1. To view event details for an alert, in the Alerts List view, choose an alert to view and then click the link in the NAME column for that alert.
    Alerts List showing Name link
    The Alerts Details view shows the Overview panel on the left and the Events panel on the right.
    Alert Details view showing the Events panel
    The Events panel shows a list of events with information about each event. The following table shows some of the columns that can appear in the Events List (Events Table).
  2.                                                

    Column

    Description

    TIMEShows the time the event occurred.
    TYPEShows the type of alert, such as Log and Network.
    SOURCE IPShows the source IP address if there was a transaction between two machines.
    DESTINATION IPShows the destination IP address if there was a transaction between two machines
    DETECTOR IPShows the IP address of the machine where an anomaly was detected.
    SOURCE USERShows the user of the source machine.
    DESTINATION USERShows the user of the destination machine.
    FILE NAMEShows the file name if a file is involved with the event.
    FILE HASHShows a hash of the file contents.

    If there is only one event in the list, you will see the event details for that event instead of a list.

  3. Click an event in the Events list to view the Event details.
    This example shows the event details for the first event in the list.
    Event Details showing first event
  4. Use the page navigation to the right of the Back To Table button to view other events. This example shows the event details for the last event in the list.
    Event Details showing the navigation options in the last event in the alert

See Alert Details View for detailed information about the event data listed in the Alert Details panel.

Investigate Events

To further investigate the events, you can find links that take you to additional contextual information. From there, you have options available depending on your selection.

View Contextual Information

In the Alert Details view, you can see underlined entities in the Events panel. An underlined entity is considered an entity in the Context Hub and has additional contextual information available. The following figure shows underlined entities in the Events list.

Events panel - Event list showing underlined entities

The following figure shows underlined entities in the Events Details.

Events panel - Event details showing underlined entities

The Context Hub is preconfigured with meta fields mapped to the entities. NetWitness Respond and Investigation use these default mappings for context lookup. For information about adding meta keys, see "Configure Settings for a Data Source" in the Context Hub Configuration Guide.

Caution: For the Context Lookup to work correctly in the Respond and Investigate views, RSA recommends that when mapping meta keys in the ADMIN > SYSTEM > Investigations > Context Lookup tab, you add only meta keys to the Meta Key Mappings, not fields in the MongoDB. For example, ip.address is a meta key and ip_address is not a meta key (it is a field in the MongoDB).

To View Contextual Information:

  1. In the Alert Details view Events List or Event Details, hover over an underlined entity.
    A context tooltip appears with a quick summary of the type of context data that is available for the selected entity.
    Events panel - Event details showing context tooltip
    The context tooltip has two sections: Context Highlights and Actions.
    Context tooltip
    The information in the Context Highlights section helps you to determine the actions that you would like to take. It shows the number of related alerts and incidents. Depending on your data, you may be able to click these numbered items for more information. The above example shows 238 related incidents, and 8,755 related alerts, and 1 related context hub list.

    The Actions section lists the available actions. In the above example, the Pivot to Investigate, Pivot to Endpoint, and Add/Remove From List options are available.
  2. To see more details about the selected entity, click the View Context button.
    The Context panel opens and shows all of the information related to the entity.
    Context Lookup Panel - Respond View provides additional information.

Add an Entity to a Whitelist

You can add any underlined entity to a list, such as a Whitelist or Blacklist, from a context tooltip. For example, to reduce false positives, you may want to whitelist an underlined domain to exclude it from the related entities.

  1. In the Alert Details view Events List or Event Details, hover over the underlined entity that you would like to add to a Context Hub list.
    A context tooltip appears showing the available actions.
    Events panel showing Add/Remove From List option
  2. In the Actions section of the tooltip, click Add/Remove from List.
    The Add/Remove From List dialog shows the available lists.
    Add/Remove From List dialog
  3. Select one or more lists and click Save.
    The entity appears on the selected lists.
    Add/Remove from List Dialog provides additional information.

Create a Whitelist

You can create a whitelist in the Context Hub in the same way as you would create it in the Incident Details view, see Create a List.

Pivot to NetWitness Endpoint

If you have the NetWitness Endpoint thick client application installed, you can launch it through the context tooltip. From there, you can further investigate a suspicious IP address, Host, or MAC address.

  1. In the Events List or Event Details in the Alert Details view, hover over any underlined entity to access a context tooltip.
  2. In the ACTIONS section of the tooltip, select Pivot to Endpoint.
    The NetWitness Endpoint application opens outside of your web browser.

For more information, see the NetWitness Endpoint User Guide.

Pivot to Investigation

For a more thorough investigation of the incident, you can access the Investigate view.

  1. In the Events List or Event Details in the Alert Details view, hover over any underlined entity to access a context tooltip.
  2. In the ACTIONS section of the tooltip, select Pivot to Investigate.
    The Investigate Navigate view opens, which enables you to perform a deeper dive investigation.

For more information, see the Investigation and Malware Analysis User Guide.

Create an Incident Manually

You can create incidents manually from alerts in the Alerts List view. The alerts that you select cannot be part of another incident. Incidents created manually from alerts default to Low priority, but you can change the priority after you create it. You cannot add categories to manually created incidents.

Note: Incidents can be created manually or automatically. An Alert can only be associated with one Incident. You can create aggregation rules to analyze the alerts collected and group them into incidents depending on which rules they match. For details, see the "Create an Aggregation Rule for Alerts" topic in the NetWitness Respond Configuration Guide.

To Create an Incident Manually:

  1. Go to RESPOND > Alerts.
  2. Select one or more alerts in the Alerts List.

    Note: Selecting alerts that do not have incident IDs enable the Create Incident button. If the alert is already part of an incident, the button is disabled. You can filter alerts that are not part of an incident by selecting the option PART OF INCIDENT as No in the Filters panel.

    Alerts List showing three alerts selected

  3. Click Create Incident.

    The Create Incident dialog is displayed.

    Create Incident dialog with Example name

  4. In the INCIDENT NAME field, type a name to identify the incident. For example, Investigate - IP.
  5. Click OK.
    Alerts List showing successful incident creation

    You will see a confirmation message that an incident was created from the selected alerts. The new incident ID appears as a link in the INCIDENT ID column of the selected alerts. If you click the link, it takes you to the Incident Details view for that incident, where you can update information, such as changing Priority from low to high.

Delete Alerts

Users with the appropriate permissions, such as Administrators and Data Privacy Officers, can delete alerts. This procedure is helpful when you want to remove unnecessary or non-relevant alerts. Deleting these alerts frees up disk space.

  1. Go to RESPOND > Alerts.
    The Alerts List view displays a list of all NetWitness Suite alerts.
  2. In the Alerts list, select the alerts that you want to delete and click Delete.
    Remedation Tasks list with tasks selected for delete
    If you do not have permission to delete alerts, you will not see the Delete button.
  3. Confirm that you want to delete the alerts and click OK.
    Confirm Delete dialog
    The alerts are deleted from NetWitness Suite. If a deleted alert is the only alert in an incident, the incident is also deleted. If the deleted alert is not the only alert in an incident, the incident is updated to reflect the deletion.
 
You are here
Table of Contents > Reviewing Alerts

Attachments

    Outcomes