NetWitness Respond collects alerts from multiple sources and provides the ability to group them logically and start an Incident Respond workflow to investigate and remediate the security issues raised. NetWitness Respond enables you to configure rules that automatically aggregate alerts into incidents. Alerts are normalized by the system to a common format to provide users with a consistent view for the rule criteria regardless of the data source. You can build query criteria based on the alert data with the ability to query on fields that are common as well as specific to data sources.
The rule engine allows you to group similar alerts together into an incident so that the investigation and remediation workflow can be shared across a set of similar alerts. You can create rules that can group alerts into incidents depending on a common value they share for one or two attributes (for example, source hostname) or if they are reported within a limited time window (for example, alerts that are within four hours of each other).
If an alert matches a rule, an incident is created using the criteria. As new alerts are ingested, if an existing incident was already created that matched those criteria, and that incident is not "in progress" yet, the new alerts continue to be added to the same incident. If there is no existing incident for the grouped value (for example, the specific hostname) or the time window, a new incident is created and the alert is added to it.
You can have multiple incident rules. The rules can either group alerts into incidents or suppress alerts from being matched by any rule. The rules are ranked top-to-bottom and only the first rule to match an incoming alert is used to include that alert in an incident. The incidents provide a context for the alerts, provide tools to record the investigation status, and track the progress of associated tasks.
The stages in the NetWitness Respond process are:
- Generate Incidents & Alerts
- Automatic Alert & Incident Generation
- Manual - New Incident Creation from Investigate > Events or Respond > Alerts
- (Optional) Manage Incidents in RSA Archer Cyber Incident and Breach Response (If you manage incidents in Archer instead of in NetWitness Respond, the process ends here.)
- Triage Incidents & Alerts
- Review Prioritized Incident List in Respond
- Review Prioritized Incidents & Alerts on Springboard
- Review Prioritized Alerts List
- Work an Incident
- Select & Investigate Incident
- Investigate Alerts & Events
- Analysis: Visualize, Reconstruct, and View Text
- (Optional) Pivot & Expand Investigation
- (Optional) Add Additional Events to Incident
- Escalate, Remediate, or Close the Incident
- Create & Assign Tasks
- Track Tasks to Closure
- (Optional) Send Incidents to RSA Archer Cyber Incident & Breach Response. (In NetWitness Platform version 11.2 and later, if RSA Archer is configured as a data source in Context Hub, you can send incidents to RSA Archer Cyber Incident & Breach Response.)
NetWitness Respond Workflow
The following figure shows the high-level NetWitness Respond workflow process.