Respond: Alert Details View

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 15, 2017
Version 6Show Document
  • View in full screen mode
  

In the Alert Details view (RESPOND >Alerts > click a NAME hyperlink in the Alerts List), you can view summary information about an alert, such as the source of the alert, the number of events within the alert, and whether it is part of an incident. You can also view detailed information about the events within the alert as well as the event metadata.

Workflow

This workflow shows the high-level process that Analysts use to review alerts and create incidents.

Incident Details view workflow diagram for help page

After reviewing the alerts list, in the Alert Details view, you can investigate those alerts further and create incidents from the alerts. In the CONFIGURE > INCIDENT RULES view, you can create aggregation rules to create incidents.

Note: You can also use NetWitness Suite Automated Threat Detection to create incidents without manually creating rules.

What do you want to do?

                                                     
RoleI want to ...Show me how
Incident Responders,
Analysts
View all alerts in NetWitness Suite.

View Alerts

SOC Managers,
Administrators
Create aggregation Rules.

See "Create an Aggregation Rule for Alerts" in the NetWitness Respond Configuration Guide.

Incident Responders,
Analysts
View a list of events in the alert.*View Event Details for an Alert
Incident Responders, AnalystsView event metadata for each event in the alert.*View Event Details for an Alert

Incident Responders,
Analysts

Further investigate the events in the alert.*

Investigate Events

Incident Responders,
Analysts
Add alerts to an existing incident.Add Related Indicators to the Incident
Incident Responders,
Analysts
Create incidents from alerts.Create an Incident Manually
Data Privacy Officers,
Administrators
Delete alerts.Delete Alerts

*You can complete these tasks here (that is in the Alerts Details view).

Related Topics

Alert Details View

  1. To access the Alert Details view, go to RESPOND > Alerts.

  2. In the Alerts list, choose an alert to view and then click the link in the NAME column for that alert.
    The Alert Details view has an Overview panel on the left and the Events panel on the right. You can resize the panels to show more information as shown in the following figure.
    Alert Details view

Overview Panel

The Overview panel shows basic summary information about a selected alert. The Overview panel on the Alerts List view contains the same information. The Alerts List view Overview Panel topic provides details.

Alert Details view Overview panel (This panel is the same as the Overview panel in the Alerts List view)

Events Panel

The Events panel can show an Events List if there is more than one event in the alert. If there is only one event in the alert, or you click an event in the Events List, you can see Event Details in the Events panel.

Events List

The Events List for a selected alert shows all of the events contained in that alert.

Alerts Details view - Events panel showing Event List

The following table lists some of the columns shown in the Events List, which provide a summary of the listed events.

                                               

Column

Description

TIMEShows the time the event occurred.
TYPEShows the type of alert, such as Log and Network.
SOURCE IPShows the source IP address if there was a transaction between two machines.
DESTINATION IPShows the destination IP address if there was a transaction between two machines.
DETECTOR IPShows the IP address of the machine where an anomaly was detected.
SOURCE USERShows the user of the source machine.
DESTINATION USERShows the user of the destination machine.
FILE NAMEShows the file name if a file is involved with the event.
FILE HASHShows a hash of the file contents.

Event Details

The Event Details in the Events panel shows the event metadata for each event in the alert.

Alerts Details view - Events panel showing Event List

Event Metadata

The following table lists some event metadata sections and subsections shown in the first two columns in the Event Details. This is not an extensive list.

                                                                                                                                

Section

Subsection

Description

Data

 

Shows information about the data involved with the event, such as the files involved. There may be 0 or more per event.
 FilenameShows the file name if a file is involved with the event.
 HashShows a hash of the file contents, for example, MD5 or SHA1.
 SizeShows the size of the transmission or file involved with the event.
Description Displays a general description of the event.
Destination

 

Shows the destination device and user.
 DeviceShows information about the destination device. See Event Source or Destination Device Attributes below.
 UserShows information about the user or users of the destinationSee Event Source or Destination User Attributes below.
Detector

 

Shows the host or software product that detected the issue. This is most relevant for malware scanners and logs

 

Device Class

Shows the device class of the product that detected the alert.

 

IP Address

Shows the IP address of the product that detected the alert.

 

Product Name

Shows the name of the product that detected the alert.

Domain Shows the domain associated with the event.
Enrichment

 

Shows available enrichment information.

Related Links If available, it shows a link back to the user interface (UI) of the source product.

 

Type

Shows the type of event, such as investigate_original_event.

 

URL

Shows the URL link back to the UI of the source product.

Size

 

Shows the size of the transmission or file involved.

Source Shows the source device and user.

 

Device

Shows information about the source machine. See Event Source or Destination Device Attributes below.
 UserShows information about the user or users of the source machine. See Event Source or Destination User Attributes below.

Timestamp

 

Shows the time that the event occurred.

Type

 

Shows the type of the alert, such as log, network, correlation, Resubmit, Manual Upload, On Demand, File Share, or Instant IOC.

Event Source or Destination Device Attributes

The following table lists attributes for an event source or destination device that can be shown in the Events Details.

                                                   

Name

Description

Asset Type

Displays the type of device, for example, desktop, laptop, server, network equipment, tablet, and so on.

BusinessUnitShows the business unit associated with the .
Compliance RatingShows the compliance rating of the device. It can be Low, Medium, or High.
CriticalityShows how critical the device is to the business (business criticality).
FacilityShows the location of the device.
GeolocationShows the geographic location for the host. It can contain the following attibutes: city, country, latitude, longitude, organization, and domain.
IP AddressShows the IP address of the device.
MAC AddressShows the MAC address of the device.
Netbios NameShows the NetBIOS name for the device.
Port

Displays the TCP port, UDP port, or the IP Src port (the first one available) used to connect to and from the host.

Event Source or Destination User Attributes

The following table lists attributes for an an event source or destination user that can be shown in the Events Details.

                           

Attribute Name

Description

AD Domain

Shows the Active Directory domain.

AD UsernameShows the Active Directory username.
Email AddressShows the email address of the user.
UsernameShows a general name if you do not know the source of the username, such as UNIX or a username in a particular system.

Toolbar Actions

This table lists the toolbar actions available in the Alert Details view.

                    
OptionDescription
Back to Alerts icon (arrow pointing left)

(Back to Alerts) Enables you to navigate back to the Alerts List .view.

Events Details Navigation options showing Back To Table button Click the arrows to navigate through the event meta details for each event in the alert. The numbers, such as "1 of 2" show the number of the event that you are currently viewing. Click Back to Table to go back to the Events List view, which is also known as the Events Table.

 

Previous Topic:Alerts List View
Next Topic:Tasks List View
You are here
Table of Contents > NetWitness Respond Reference Information > Alert Details View

Attachments

    Outcomes