Respond: Determine which Incidents Require Action

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 15, 2017
Version 6Show Document
  • View in full screen mode
  

Once you get the general information about the incident from the Incident List view, you can go to the Incident Details view for more information to determine the action required.

Incident Details view

View Incident Details

To view details for an incident, in the Incidents List view, choose an incident to view and then click the link in the ID or NAME column for that incident.

Incident List view showing link to the details view in the Name column

The Incident Details view for the selected incident appears with the Overview panel and Nodal Graph in view.

Incident Details view example

The Incident Details view has the following panels:

  • OVERVIEW: The incident overview panel contains high-level summary information about the incident, such as the score, priority, alerts, and status. You have the option to change the incident Priority, Status, and Assignee.
  • INDICATORS: The Indicators panel contains a chronological listing of indicators. Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert. This listing helps you to connect indicators and notable data. For example, an IP address connected to a command and communication ESA alert might also have triggered a NetWitness Endpoint alert or other suspicious activities.
  • Nodal Graph: The nodal graph is an interactive graph that shows the relationship between the entities involved in the incident. An Entity is a specified piece of meta, such as IP address, MAC address, user, host, domain, file name, or file hash.
  • Events: The Events panel, also known as the Events table, lists the events associated with the incident. It also shows event source and destination information along with additional information depending on the event type. You can click an event in the list to view the detailed data for that event.
  • JOURNAL: The Journal panel enables you to access the Journal for the selected incident, which allows you to communicate and collaborate with other analysts. You can post notes to a journal, add Investigation Milestone tags (Reconnassance, Delivery, Exploitation, Installation, Command and control), and view the history of activity on your incident.
  • TASKS: The Tasks panel shows all of the tasks that have been created for the incident. You can also create additional tasks from here.
  • RELATED: The Related Indicators panel enables you to search the NetWitness Suite alerts database to find alerts that are related to this incident. You can also add related alerts that you find to the incident.

To view more information in the left-side panel without scrolling, you can hover over the right edge and drag the line to resize the panel as shown in the following figure:

Indident Details view showing how to resize the panel

View Basic Summary Information about the Incident

You can view basic summary information about an incident in the Overview panel.

Above the Overview panel, you can see the following information:

  • Incident ID: This is an automatically created unique ID assigned to the incident.
  • Name: The incident name is derived from the rule used to trigger the incident.

Top of left panel

To view the Overview panel from the Incident Details view, select OVERVIEW in the left panel.

Overview panel

To view the Overiew panel from the Incidents List view, click an incident in the list. The Overview panel appears on the right.

Incident List with the Overview panel open

The Overview panel contains basic summary information about the selected incident:

  • Created: Shows the creation date and time of the incident.
  • Rule / By: Shows the name of the rule that created the incident or the name of the person who created the incident.
  • Risk Score: Indicates the risk of the incident as calculated via an algorithm and is between 0-100. 100 is the highest risk score.
  • Priority: Shows the incident priority. Priority can be Critical, High, Medium or Low.
  • Status: Shows the incident status. The status can be New, Assigned, In Progress, Task Requested, Task Complete, Closed, and Closed - False Positive. After you create a task, the status changes to Task Requested.
  • Assignee: Shows the team member currently assigned to the incident.
  • Sources: Indicates the data sources used to locate the suspicious activity.
  • Categories: Shows the categories of the incident events.
  • Catalysts: Shows the count of indicators that gave rise to the incident.

View the Indicators and Enrichments

Note: Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert.

You can find indicators, events, and enrichments on the Indicators panel. The Indicators panel is a Chronological listing of indicators that helps you to find enrichments and events related to the triggering indicator. For example, an indicator might be a Command and Control alert, a NetWitness Endpoint alert, a Suspicious Domain (C2) alert, or an alert from an Event Stream Analysis (ESA) rule. The Indicators panel helps you to aggregate and order these indicators (alerts) from different systems so that you can see how they are related and also help you develop a timeline of a given attack.

To view the Indicators panel, in the left panel of the Incident Details view, select INDICATORS.

Indicators panel

Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert. This listing helps you to connect indicators and notable data. For example, indicators can show the data found by your rules. In the Indicators panel, the risk score for an indicator is shown within a solid-colored circle.

Data source information is shown below the names of the indicators. You can also see the creation date and time of the indicator and the number of events in the indicator. When data is available, you can see the number of enrichments. You can click the event and enrichment buttons to view the details.

View and Study the Events

You can view and study the events associated with the incident from the Events panel. It shows information about the events, such as event time, source IP, destination IP, detector IP, source user, destination user, and file information about the events. The amount of information listed depends on the event type.

There are two types of events:

  • A transaction between two machines (a Source and a Destination)
  • An anomaly detected on a single machine (a Detector)

Some events will only have a Detector. For example, NetWitness Endpoint finds malware on your machine. Other events will have a Source and Destination. For example, packet data shows communication between your machine and a Command and Control (C2) domain.

You can drill further into an event to get detailed data about the event.

To view and study the events:

  1. To view the Events panel, in the Incident Details view toolbar, click View Datasheet icon - It opens the Events panel.
    Events panel
    The Events panel shows a list of information about each event as shown in the following table.

    Column

    Description

    TIMEShows the time the event occurred.
    TYPEShows the type of alert, such as Log and Network.
    SOURCE IPShows the source IP address if there was a transaction between two machines.
    SOURCE PORTShows the source port of the transaction. The source and destination ports can be on the same IP address.
    SOURCE HOSTShows the source host where the event took place.
    SOURCE MACShows the MAC address of the source machine.
    SOURCE USERShows the user of the source machine.
    DESTINATION IPShows the destination IP address if there was a transaction between two machines
    DESTINATION PORTShows the destination port of the transaction. The source and destination ports can be on the same IP address.
    DESTINATION HOSTShows the destination host where the event took place.
    DESTINATION MACShows the MAC address of the destination machine.
    DESTINATION USERShows the user of the destination machine.
    DETECTOR IPShows the IP address of the machine where an anomaly was detected.
    FILE NAMEShows the file name if a file is involved with the event.
    FILE HASHShows a hash of the file contents.

    If there is only one event in the list, you will see the event details for that event instead of a list.

  2. Click an event in the Events list to view the Event details.
    This example shows the event details for the first event in the list.
    Event Details - First Event
  3. Use the Event Details navigation to view details for additional events.
    This example shows the second event in the list.
    Event Details - Second event showing navigation

View and Study the Entities Involved in the Events

An Entity is either an IP address, MAC address, user, host, domain, file name, or file hash. The nodal graph is an interactive graph that you can move around to get a better understanding of how the entities involved in the events relate to each other. The nodal graphs look different depending on the type of event, the number of machines involved, whether the machines are associated with users, and if there are files associated with the event.

The following figure shows an example nodal graph with six nodes.

Nodal graph

If you look closely at the nodal graph, you can see circles that represent nodes. A nodal graph can contain one or more of the following types of nodes:

  • IP address (If the event is a detected anomaly, you can see a Detector IP. If the event is a transaction, you can see a Destination IP and a Source IP.)
  • MAC address (You may see a MAC address for each type of IP address.)
  • User (If the machine is associated with a user, you can see a user node.)
  • Host
  • Domain
  • Filename (If the event involves files, you can see a filename.)
  • File Hash (If the event involves files, you may see a file hash.)

The legend at the bottom of the nodal graph shows the number of nodes of each type and the color coding of the nodes.

You can click any node and drag it to reposition it.

The arrows between the nodes provide additional information about the entity relationships:

  • Communicates with: An arrow between a Source machine node (IP address or MAC address) and a Destination machine node labeled with "communicates with" shows the direction of the communication.
  • As: An arrow between nodes labeled with "as" provides additional information about the IP address that the arrow points to. In the above example, there is an arrow from the host node circle that points to a hashed IP address node that is labeled with "as". This indicates that the name on the host node circle is the hostname of that IP address and is not a different entity.
  • Has file: An Arrow between a machine node (IP address, MAC address, or Host) and a file hash node labeled with "has" indicates that the IP address has that file.
  • Uses: An arrow between a User node and a machine node (IP address, MAC address, or Host) labeled with "uses" shows the machine that the user was using during the event.
  • Is named: An arrow from a File Hash node to a File Name node labeled with "is named" indicates that the file hash corresponds to a file with that name.
  • Belongs to: An arrow between two nodes labeled with "belongs to" indicates that they pertain to the same node. For example, an arrow between a MAC address and a Host labeled with "belongs to" indicates that it is the MAC address for the host.

Larger line size arrows indicate more communication between the nodes. Larger nodes (circles) indicate more activity than smaller nodes. The larger nodes are the most common entities mentioned in the events.

The following nodal graph example has ten nodes.

Nodal graph example showing 10 nodes

In this example, notice that there are two IP nodes that have a lot of activity. They both have files, but they do not communicate with each other. The IP address at the top (192.168.1.1) represents one machine with two hostnames (host.example.com and INENDEBS1L2C) in the example.com domain. The MAC address of the machine is 11-11-11-11-11-11-11-11-11and Alice uses it.

Filter the Data in the Incident Details View

You can click indicators in the Indicators panel to filter what you can see in the nodal graph and the Events list.

If you select an indicator to filter the nodal graph, data that is not part of your selection is dimmed, but it is still in view as shown in the following figure.

Nodal graph filtered by incidents

If you select an indicator to filter the events list, only the events for that indicator are shown in the list. The following figure shows an indicator selected that contains two events. The filtered Events list shows those two events.

Incident Details view - An indicator selected with two events filters the Events list

If you select an indicator to filter the events list and there is only one event for that indicator, you can see the event details for that event as shown in the following figure.

Incident Details view - An indicator selected with one event shows the details for that event

View the Tasks associated with an Incident

Threat responders and other analysts can create tasks for an incident and track those tasks to completion. This can be very helpful, for example, when you require actions on incidents from teams outside of your security operations. You can view the tasks associated with an incident in the Incident Details view.

  1. Go to RESPOND > Incidents and locate the incident that you want to view in the Incidents List.
  2. Click the link in the ID or NAME field of the incident to go to the Incidents Details view.
  3. In the Incident Details view toolbar, click Journal, Tasks, and Related icon.
    The Journal panel opens.
  4. Click the TASKS tab.
    The Tasks panel shows all of the tasks for the incident.
    TASKS panel

For more information about tasks, see Tasks List View, View All Incident Tasks, and Create a Task.

View Incident Notes

The incident Journal enables you to view the history of activity on your incident. You can view journal entries from other analysts and also communicate and collaborate with them.

  1. Go to RESPOND > Incidents and locate the incident that you want to view in the Incidents List.
  2. Click the link in the ID or NAME field of the incident to go to the Incidents Details view.
  3. In the Incident Details view toolbar, click Journal, Tasks, and Related icon.
    The Journal panel shows all of the journal entries for the incident.
    Journal panel

Find Related Indicators

Related Indicators are alerts that were not originally part of the selected incident, but they are related in some way to the incident. The relationship may or may not be obvious. For example, related indicators can involve one or more entities from the incident, but they can also be related due to some intelligence outside of NetWitness Suite.

In the Incident Details view Related panel, you can search for an entity (such as IP, MAC, Host, Domain, User, Filename, or Hash) in other alerts outside of the current incident.

  1. Go to RESPOND > Incidents and locate the incident that you want to view in the Incidents List.
  2. Click the link in the ID or NAME field of the incident to go to the Incidents Details view.
  3. In the Incident Details view toolbar, click Journal, Tasks, and Related icon.
    The Journal panel opens on the right.
  4. Click the RELATED tab.
    Related Indicators panel
  5. In the Related Indicators panel, enter your search criteria:
    • Find: Select the entity that you would like to locate in the alerts. For example, IP.
    • Value: Type the value of the entity. For example, type the actual IP address of the entity.
    • When: Select a time range to search for the alerts. For example, Last 24 hours.
    • Look In: Specify the type of entity to search:
      Source - The source machine in a transaction between two machines.
      Destination - The destination machine in a transaction between two machines.
      Detector - A single machine where an anomaly was detected.
      Domain - This option is available when you select Domain in the Find field.

      For example, select Source to look for alerts where a certain IP address acted as the source device. You may want to do separate searches for each type of device: Source, Destination, and Detector.
  6. Click Find.
    A list of related indicators (alerts) appear below the Find button in the Indicators for section. If an alert is not part of another incident, you can click the Add to Incident button to add the related indicator (alert) to the current incident. See Add Related Indicators to the Incident below.

Add Related Indicators to the Incident

You can add related indicators (alerts) to the current incident from Related Indicators panel. An indicator that is not already part of an incident cannot be part of another incident. In the search results, if an alert is not already part of an incident, it has an Add to Incident button.

  1. In the RELATED (Related Indicators) panel, do a search to find related indicators. See Find Related Indicators above.
    Related Indicators panel
  2. Review the alerts in the search results. The Indicators for section (below the Find button) lists the related indicators (alerts).
  3. To inspect the details of an alert before adding it as a related indicator to the incident, you can click the Open in New Window link to view the alert details for that indicator.
  4. For each alert that you want to add to the current incident as a related indicator, click the Add to Incident button.
    The selected related indicator adds to the Indicators panel on the left. The button in the Related Indicators panel on the right now shows Part of This Incident.
    Indicator find results showing Part of this Incident button after adding the indicator to the incident
You are here
Table of Contents > Determine which Incidents Require Action

Attachments

    Outcomes