Respond: Determine which Incidents Require Action

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Nov 21, 2019
Version 13Show Document
  • View in full screen mode
 

Once you get the general information about the incident from the Incident List view, you can go to the Incident Details view for more information to determine the action required.

Incident Details view

You can perform the following procedures in the Incident Details view to determine the action required on an incident:

 

View Incident Details

To view details for an incident, in the Incidents List view, choose an incident to view and then click the link in the ID or NAME column for that incident.

Incident List view showing link to the details view in the Name column

The Incident Details view for the selected incident appears with the Nodal Graph in view.

Incident Details view example

The Incident Details view has the following panels:

  • Overview: The incident Overview panel contains high-level summary information about the incident, such as the score, priority, alerts, and status. You have the option to send the incident to RSA Archer and change the incident Priority, Status, and Assignee.
  • Indicators: The Indicators panel contains a chronological listing of indicators. Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert. This listing helps you to connect indicators and notable data. For example, an IP address connected to a command and communication ESA alert might also have triggered a NetWitness Endpoint alert or other suspicious activities.
  • Related Indicators: The Related Indicators panel enables you to search the NetWitness Platform alerts database to find alerts that are related to this incident. You can also add related alerts that you find to the incident.
  • Nodal Graph: The nodal graph is an interactive graph that shows the relationship between the entities involved in the incident. An Entity is represented by an IP address, MAC address, user, host, domain, file name, or file hash.
  • Events List: The Events List, also known as the Events table, lists the events associated with the incident. It also shows event source and destination information along with additional information depending on the event type. You can click the top of an event in the list to view the detailed data for that event.
  • Journal: The Journal panel enables you to access the Journal for the selected incident, which allows you to communicate and collaborate with other analysts. You can post notes to a journal, add Investigation Milestone tags (Reconnaissance, Delivery, Exploitation, Installation, Command and Control, Action on Objective, Containment, Eradication, and Closure), and view the history of activity on your incident.
  • Tasks: The Tasks panel shows all of the tasks that have been created for the incident. You can also create additional tasks from here.

To view more information in the left-side panel without scrolling, you can hover over the right edge and drag the line to resize the panel as shown in the following figure.

Indident Details view showing how to resize the panel

View Basic Summary Information about the Incident

You can view basic summary information about an incident in the Overview panel.

Above the Overview panel, you can see the following information:

  • Incident ID: This is an automatically created unique ID assigned to the incident.
  • Name: The incident name is derived from the rule used to trigger the incident.
  • Send to Archer / Sent to Archer: (In version 11.2 and later, if RSA Archer is configured as a data source in Context Hub, you can send incidents to Archer Cyber Incident & Breach Response and this option is available in NetWitness Respond.) This shows whether an incident has been sent to Archer Cyber Incident & Breach Response. An incident sent to Archer shows as Sent to Archer. An incident that has not been sent to Archer shows as Send to Archer. You can click the Send to Archer button to send the incident to Archer Cyber Incident & Breach Response.

Top of left panel

To view the Overview panel from the Incident Details view, select OVERVIEW in the left panel.

Overview panel

To view the Overview panel from the Incidents List view, click an incident in the list. The Overview panel appears on the right.

Incident List with the Overview panel open

The Overview panel contains basic summary information about the selected incident:

  • Created: Shows the creation date and time of the incident.
  • Rule / By: Shows the name of the rule that created the incident or the name of the person who created the incident.
  • Risk Score: Shows a value between 0 and 100 that indicates the risk of the incident as calculated by an algorithm. 100 is the highest risk score.
  • Priority: Shows the incident priority. Priority can be Critical, High, Medium or Low.
  • Status: Shows the incident status. The status can be New, Assigned, In Progress, Task Requested, Task Complete, Closed, and Closed - False Positive. After you create a task, the status changes to Task Requested.
  • Assignee: Shows the team member currently assigned to the incident.
  • Sources: Indicates the data sources used to locate the suspicious activity.
  • Categories: Shows the categories of the incident events.
  • Catalysts: Shows the count of indicators that gave rise to the incident.

View the Indicators and Enrichments

Note: Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert.

You can find indicators, events, and enrichments on the Indicators panel. The Indicators panel is a chronological listing of indicators that helps you to find enrichments and events related to the triggering indicator. For example, an indicator might be a Command and Control alert, a NetWitness Endpoint alert, a Suspicious Domain (C2) alert, or an alert from an Event Stream Analysis (ESA) rule. The Indicators panel helps you to aggregate and order these indicators (alerts) from different systems so that you can see how they are related and also help you develop a timeline of a given attack.

To view the Indicators panel, in the left panel of the Incident Details view, select INDICATORS.

Indicators panel

Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert. This listing helps you to connect indicators and notable data. For example, indicators can show the data found by your rules. In the Indicators panel, the risk score for an indicator is shown within a solid-colored circle.

Data source information is shown below the names of the indicators. You can also see the creation date and time of the indicator and the number of events in the indicator. When data is available, you can see the number of enrichments. You can click the event and enrichment buttons to view the details.

Note: The maximum number of indicators (alerts) displayed in the Indicators panel is 1,000.

View and Study the Events

You can view and study the events associated with the incident from the Events List. It shows information about the events, such as event time, source IP, destination IP, detector IP, source user, destination user, and file information about the events. The amount of information listed depends on the event type.

There are two types of events:

  • A transaction between two machines (a Source and a Destination)
  • An anomaly detected on a single machine (a Detector)

Some events will only have a Detector. For example, NetWitness Endpoint finds malware on your machine. Other events will have a Source and Destination. For example, packet data shows communication between your machine and a Command and Control (C2) domain.

You can drill further into an event to get detailed data about the event.

To view and study the events:

  1. To view the Events List, in the Incident Details view toolbar, click Evests List icon - It opens the Events List.

    Events List showing the icon used to access it
    The Events List shows different information about each event depending on the event type. The maximum number of events displayed in the Events List is 1,000.

    The following table lists typical event information. For details specific to endpoint events, see Events List.

    Field

    Description

    EVENT TIMEShows the time the event occurred.
    EVENT TYPEShows the type of alert, such as Log and Network.

    DETECTOR IP

    Shows the IP address of the machine where an anomaly was detected.

    FILE NAMEShows the file name if a file is involved with the event.

    FILE HASH

    Shows a hash of the file contents.

    SOURCE IPShows the source IP address if there was a transaction between two machines.

    SOURCE PORT

    Shows the source port of the transaction. The source and destination ports can be on the same IP address.

    SOURCE HOSTShows the destination host where the event took place.

    SOURCE MAC

    Shows the MAC address of the source machine.

    SOURCE USERShows the user of the source machine.

    TARGET IP

    Shows the destination IP address if there was a transaction between two machines

    TARGET PORTShows the destination port of the transaction. The source and destination ports can be on the same IP address.

    TARGET HOST

    Shows the host name of the destination machine.

    TARGET MACShows the MAC address of the destination machine.

    TARGET USER

    Shows the user of the destination machine.


  2. Click the top of an event in the Events List to view the event details.
    This example shows the event details for a selected event in the list.

    Events list showing event details for a selected event
  3. To view the events for a specific indicator (alert), go to the Indicators panel on the left and click the indicator to view the events for that indicator in the Events List on the right.

    This example shows the event for a selected indicator.

    Events list for a selected indicator
  4. To view event details for a specific indicator event, select an event in the Indicators panel. Click the top of the event to view the details.
    The following example shows information for the selected event.

    Event information for a selected event in the Indicators panel

    If you have additional Investigate-server permissions, you can also access Event Analysis details for events. See View Event Analysis Details for Indicators. If you have the UEBA_Analysts role, you can access UEBA details for indicators. See View User Entity Behavior Analytics for Indicators.

 

View C2 Enrichment Information for Suspected C&C Incidents

Note: This procedure applies to incidents from ESA Analytics in NetWitness Platform version 11.3 and later.

The Events List in version 11.3 does not show the Command and Control (C2) enrichment information for HTTP packet alerts in Suspected C&C incidents. However, you can view the C2 enrichment information in the Alert Details view.

  1. Go to RESPOND > Incidents, look for a Suspected C&C incident, and note the incident ID.
    Incidents list showing an incident ID of a Suspected C&C incident

  2. Go to RESPOND > Alerts and in the Filters panel, select the following to locate an alert in the Alerts list with the incident ID noted above:

    1. In the Part of Incident section, select Yes.

    2. In Alert Names section, select http-packet.

    If you are still not able to locate an alert in the Alerts list with the incident ID noted above, try filtering your alerts list more using the time range of the incident.

    A filtered Alerts list showing an alert with the same incident ID as noted previously

  3. In the Alerts list, click the http-packet link in the NAME field of the alert associated with the incident ID.
    The Event Details view shows the C2 enrichment information.
    C2 Enrichment information in the Event Details of an alert associated with the incident

View and Study the Entities Involved in the Events

An Entity is either an IP address, MAC address, user, host, domain, file name, or file hash. The nodal graph is an interactive graph that you can move around to get a better understanding of how the entities involved in the events relate to each other. The nodal graphs look different depending on the type of event, the number of machines involved, whether the machines are associated with users, and if there are files associated with the event.

The following figure shows an example nodal graph with six nodes.

Nodal graph

If you look closely at the nodal graph, you can see circles that represent nodes. A nodal graph can contain one or more of the following types of nodes:

  • IP address (If the event is a detected anomaly, you can see a Detector IP. If the event is a transaction, you can see a Destination IP and a Source IP.)
  • MAC address (You may see a MAC address for each type of IP address.)
  • User (If the machine is associated with a user, you can see a user node.)
  • Host
  • Domain
  • Filename (If the event involves files, you can see a filename.)
  • File Hash (If the event involves files, you may see a file hash.)

In NetWitness Platform 11.3 events, nodes for source filename and file hash are supported, but nodes for target filename and file hash are not supported.

The legend at the bottom of the nodal graph shows the number of nodes of each type and the color coding of the nodes.

You can click and drag any node to reposition it.

The arrows between the nodes provide additional information about the entity relationships:

  • Communicates with: An arrow between a Source machine node (IP address or MAC address) and a Destination machine node labeled with "communicates with" shows the direction of the communication.
  • Has file: An arrow between a machine node (IP address, MAC address, or Host) and a file hash node labeled with "has" indicates that the IP address has that file.
  • Uses: An arrow between a User node and a machine node (IP address, MAC address, or Host) labeled with "uses" shows the machine that the user was using during the event.
  • As: (This relationship type represents attributes of the connected node.) An arrow between nodes labeled with "as" provides additional information about the IP address that the arrow points to. In the above example, there is an arrow from the host node circle that points to an IP address node that is labeled with "as". This indicates that the name on the host node circle is the hostname of that IP address and is not a different entity.
  • Is named: (This relationship type represents attributes of the connected node.) An arrow from a File Hash node to a File Name node labeled with "is named" indicates that the file hash corresponds to a file with that name.
  • Belongs to: (This relationship type represents attributes of the connected node.) An arrow between two nodes labeled with "belongs to" indicates that they pertain to the same node. For example, an arrow between a MAC address and a Host labeled with "belongs to" indicates that it is the MAC address for the host.

Larger line size arrows indicate more communication between the nodes. Larger nodes (circles) indicate more activity than smaller nodes. The larger nodes are the most common entities mentioned in the events.

The following nodal graph example has 11 nodes.

Nodal graph example showing 11 nodes

In this example, notice that there are two IP nodes. They both have hashed files, but they do not communicate with each other. The IP address at the top (192.168.1.1) represents one machine with two hostnames (host.example.com is one of them) in the example.com domain. The MAC address of the machine is 11-11-11-11-11-11-11-11-11 and Alice uses it.

Select Node Types to View on the Nodal Graph

Note: This option is available in NetWitness Platform version 11.2 and later.

In the Incident Details view nodal graph, you can hide node types to further study the interactions between the entities on the nodal graph.

  1. Go to RESPOND > Incidents.
  2. In the Incidents List view, choose an incident to view and then click the link in the ID or NAME column for that incident.
    The Incident Details view for the selected incident appears with the Nodal Graph in view. The legend below the nodal graph has all of the entity node types selected by default.
    If you do not see the nodal graph, click Nodal Graph icon.

    Nodal Graph Example with all nodal types selected in the legend
  3. To hide node types, in the legend, clear the checkbox for the node types that you would like to hide in the nodal graph.
    The following example shows the MAC address node type cleared and the MAC address nodes are now hidden.
    Nodal Graph Example with all nodal types selected in the legend except MAC
  4. To include (unhide) node types, select the checkbox for the node types that you would like to appear in the nodal graph.

Hiding node types can be especially helpful if the nodal diagram includes over 100 nodes as shown in the following figure.


Nodal Graph over 100 nodes example with all nodal types selected in the legend

After hiding the IP node types, you can get a better understanding of what is happening with the remaining nodes.

Nodal Graph with IP node types hidden

Filter the Data in the Incident Details View

You can click indicators in the Indicators panel to filter what you can see in the Nodal Graph and the Events List.

If you select an indicator to filter the nodal graph, data that is not part of your selection is dimmed, but it is still in view as shown in the following figure.

Nodal graph filtered by incidents

If you select an indicator to filter the Events List, only the events for that indicator are shown in the list. The following figure shows an indicator selected that contains ninety-eight events. The filtered Events List shows those ninety-eight events.

Incident Details view - A selected indicator filters the events list and shows eight events

View the Tasks associated with an Incident

Threat responders and other analysts can create tasks for an incident and track those tasks to completion. This can be very helpful, for example, when you require actions on incidents from teams outside of your security operations. You can view the tasks associated with an incident in the Incident Details view.

  1. Go to RESPOND > Incidents and locate the incident that you want to view in the Incidents List.
  2. Click the link in the ID or NAME field of the incident.
  3. In the Journal on the right side of the Incident Details view, click the TASKS tab.
    If you cannot see the Journal, click Journal & Tasks (version 11.3.2 and later) or click Journal, Tasks, and Related icon (11.x versions 11.3.1 and earlier), and then click the TASKS tab.
    The Tasks panel shows all of the tasks for the incident.
    TASKS panel

For more information about tasks, see Tasks List View, View All Incident Tasks, and Create a Task.

View Incident Notes

The incident Journal enables you to view the history of activity on your incident. You can view journal entries from other analysts and also communicate and collaborate with them.

  1. Go to RESPOND > Incidents and locate the incident that you want to view in the Incidents List.
  2. Click the link in the ID or NAME field of the incident.
    The Journal on the right side of the Incident Details view shows all of the journal entries for the incident.
    If you cannot see the Journal, click Journal & Tasks (version 11.3.2 and later) or click Journal, Tasks, and Related icon (11.3.1 and earlier 11.x versions).
    Journal panel

Find Related Indicators

Related Indicators are alerts that were not originally part of the selected incident, but they are related in some way to the incident. The relationship may or may not be obvious. For example, related indicators can involve one or more entities from the incident, but they can also be related due to some intelligence outside of NetWitness Platform.

In the Incident Details view Related Indicators panel, you can search for an entity (such as IP, MAC, Host, Domain, User, Filename, or Hash) in other alerts outside of the current incident.

  1. Go to RESPOND > Incidents and locate the incident that you want to view in the Incidents List.
  2. Click the link in the ID or NAME field of the incident.
  3. To view the Related Indicators panel, do one of the following:
    • (NetWitness Platform version 11.3.2 and later) In the left panel of the Incident Details view, click the FIND RELATED tab.
    • (NetWitness Platform 11.3.1 and earlier 11.x versions) In the Incident Details toolbar, click Journal, Tasks, and Related icon and then click the RELATED tab.
      The Related Indicators panel is displayed.
      Related Indicators panel
  4. In the Find field, select the entity type to search, such as IP.

  5. In the Value field, type a value for the entity, such as a specific IP address.

  6. In the When field, select the time period to search, such as the Last 24 Hours.

  7. Click Find.
    A list of related indicators (alerts) appear below the Find button in the Indicators for section. If an alert is not part of another incident, you can click the Add to Incident button to add the related indicator (alert) to the current incident. See Add Related Indicators to the Incident below.

Add Related Indicators to the Incident

You can add related indicators (alerts) to the current incident from Related Indicators panel. An indicator that is already part of an incident cannot be part of another incident. In the search results, if an alert is not already part of an incident, it has an Add to Incident button.

  1. In the Related Indicators panel, do a search to find related indicators. See Find Related Indicators above.

    Related Indicators panel
  2. Review the alerts in the search results. The Indicators for section (below the Find button) lists the related indicators (alerts).
  3. To inspect the details of an alert before adding it as a related indicator to the incident, you can click the Open in New Window link to view the alert details for that indicator.
  4. For each alert that you want to add to the current incident as a related indicator, click the Add to Incident button.
    The button in the Related Indicators panel now shows Part of This Incident.
    Related Indicators panel
    The selected related indicator adds to the Indicators panel. The Indicators tab now shows the additional indicator.Indicators panel showing the added Related Indicator

You are here
Table of Contents > Determine which Incidents Require Action

Attachments

    Outcomes