In the Alert Details view (Respond > Alerts > click a Name hyperlink in the Alerts List), you can view summary information about an alert, such as the source of the alert, the number of events within the alert, and whether it is part of an incident. You can also view detailed information about the events within the alert as well as the event metadata.
This workflow shows the high-level process that Analysts use to review alerts and create incidents.
After reviewing the alerts list, in the Alert Details view, you can investigate those alerts further and create incidents from the alerts. In the Configure > Incident Rules view, you can create incident rules to create incidents.
What do you want to do?
|Role||I want to ...||Show me how|
| Incident Responders, |
|View all alerts in NetWitness Platform.|
| SOC Managers, |
|Create incident rules.|| |
See "Create an Incident Rule for Alerts" in the NetWitness Respond Configuration Guide.
|Incident Responders, |
|View a list of events in the alert.*||View Event Details for an Alert|
|Incident Responders, Analysts||View event metadata for each event in the alert.*||View Event Details for an Alert|
Further investigate the events in the alert.*
|Incident Responders, |
|Add alerts to an existing incident.|
|Incident Responders, |
|Create incidents from alerts.||Create an Incident Manually|
|Data Privacy Officers, |
|Delete alerts.||Delete Alerts|
*You can complete these tasks here (that is, in the Alerts Details view).
To access the Alert Details view, go to Respond > Alerts.
- In the Alerts list, choose an alert to view and then click the link in the Name column for that alert.
The Alert Details view has an Overview panel on the left and the Events panel on the right. You can resize the panels to show more information as shown in the following figure.
The Overview panel shows basic summary information about a selected alert. The Overview panel on the Alerts List view contains the same information. The Alerts List view Alert Overview Panel topic provides details.
The Events panel can show an Events List if there is more than one event in the alert. If there is only one event in the alert, or you click an event in the Events List, you can see Event Details in the Events panel.
The Events List for a selected alert shows all of the events contained in that alert.
The following table lists some of the columns shown in the Events List, which provide a summary of the listed events.
|Time||Shows the time the event occurred.|
|Type||Shows the type of alert, such as Log and Network.|
|Source IP||Shows the source IP address if there was a transaction between two machines.|
|Destination IP||Shows the destination IP address if there was a transaction between two machines.|
|Detector IP||Shows the IP address of the machine where an anomaly was detected.|
|Source User||Shows the user of the source machine.|
|Destination User||Shows the user of the destination machine.|
|File Name||Shows the file name if a file is involved with the event.|
|File Hash||Shows a hash of the file contents.|
The Event Details in the Events panel shows the event metadata for each event in the alert.
The following table lists some event metadata sections and subsections shown in the first two columns in the Event Details. This is not an extensive list.
|Shows information about the data involved with the event, such as the files involved. There may be 0 or more per event.|
|Filename||Shows the file name if a file is involved with the event.|
|Hash||Shows a hash of the file contents, for example, MD5 or SHA1.|
|Size||Shows the size of the transmission or file involved with the event.|
|Description||Displays a general description of the event.|
|Shows the destination device and user.|
|Device||Shows information about the destination device. See Event Source or Destination Device Attributes below.|
|User||Shows information about the user or users of the destinationSee Event Source or Destination User Attributes below.|
|Shows the host or software product that detected the issue. This is most relevant for malware scanners and logs.|
Shows the device class of the product that detected the alert.
Shows the IP address of the product that detected the alert.
Shows the name of the product that detected the alert.
|Domain||Shows the domain associated with the event.|
Shows available enrichment information.
|Related Links||If available, it shows a link back to the user interface (UI) of the source product.|
Shows the type of event, such as investigate_original_event.
Shows the URL link back to the UI of the source product.
Shows the size of the transmission or file involved.
|Source||Shows the source device and user.|
|Shows information about the source machine. See Event Source or Destination Device Attributes below.|
|User||Shows information about the user or users of the source machine. See Event Source or Destination User Attributes below.|
Shows the time that the event occurred.
Shows the type of the alert, such as log, network, correlation, Resubmit, Manual Upload, On Demand, File Share, or Instant IOC.
The following table lists attributes for an event source or destination device that can be shown in the Events Details.
|Asset Type|| |
Displays the type of device, for example, desktop, laptop, server, network equipment, tablet, and so on.
|BusinessUnit||Shows the business unit associated with the device.|
|Compliance Rating||Shows the compliance rating of the device. It can be Low, Medium, or High.|
|Criticality||Shows how critical the device is to the business (business criticality).|
|Facility||Shows the location of the device.|
|Geolocation||Shows the geographic location for the host. It can contain the following attibutes: city, country, latitude, longitude, organization, and domain.|
|IP Address||Shows the IP address of the device.|
|MAC Address||Shows the MAC address of the device.|
|Netbios Name||Shows the NetBIOS name for the device.|
Displays the TCP port, UDP port, or the IP Src port (the first one available) used to connect to and from the host.
The following table lists attributes for an an event source or destination user that can be shown in the Events Details.
|AD Domain|| |
Shows the Active Directory domain.
|AD Username||Shows the Active Directory username.|
|Email Address||Shows the email address of the user.|
|Username||Shows a general name if you do not know the source of the username, such as UNIX or a username in a particular system.|
This table lists the toolbar actions available in the Alert Details view.