NetWitness Respond collects alerts from multiple sources and provides the ability to group them logically and start an Incident Respond workflow to investigate and remediate the security issues raised. NetWitness Respond enables you to configure rules that aggregate Alerts into Incidents. Alerts are normalized by the system to a common format to provide users with a consistent view for the rule criteria regardless of the data source. You can build query criteria based on the alert data with the ability to query on fields that are common as well as specific to data sources.
The rule engine allows you to group similar alerts together into an Incident so that the investigation and remediation workflow can be shared across a set of similar alerts. You can create rules that can group alerts into incidents depending on a common value they share for one or two attributes (for example, source hostname) or if they are reported within a limited time window (for example, alerts that are within four hours of each other).
If an alert matches a rule, an incident is created using the criteria. As new alerts are ingested, if an existing incident was already created that matched those criteria, and that incident is not "in progress" yet, the new alerts continue to be added to the same incident. If there is no existing incident for the grouped value (for example, the specific hostname) or the time window, a new incident is created and the alert is added to it.
You can have multiple incident rules. The rules can either group alerts into incidents or suppress alerts from being matched by any rule, hence the rules are ranked top-to-bottom and only the first rule to match an incoming alert is used to include that alert in an incident. The Incidents provide a context for the alerts, provide tools to record the investigation status, and track the progress of associated tasks.
The stages in the NetWitness Respond process are:
- Review Alerts
- Create Incidents
- Respond to Incidents:
- Review Prioritized Incident List
- Determine which Incidents Require Action
- Investigate Incidents
- Escalate or Remediate the Incident (This includes creating and assigning tasks as well as tracking tasks to closure. In version 11.2 and later, if RSA Archer is configured as a data source in Context Hub, you can send incidents to RSA Archer® Cyber Incident & Breach Response.)
You also have the option of managing incidents in Archer Cyber Incident & Breach Response instead of NetWitness Respond.
NetWitness Respond Workflow
The following figure shows the high-level NetWitness Respond workflow process.