Respond: Incident Details View

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 15, 2017
Version 6Show Document
  • View in full screen mode
  

In the Incident Details view (RESPOND > Incidents > click an ID or NAME hyperlink in the Incidents List), you can view and access extensive incident details. The Incident Details view contains multiple panels that provide the following benefits:

  • Overview: View an incident summary and update the incident.
  • Indicators: View the indicators (alerts) involved in the incident, the events within those alerts, and available enrichment information.
  • Nodal Graph: Visualize the size and interactions between entities (IP address, MAC address, user, host, domain, file name, or file hash).
  • Events Datasheet: Study the events associated with the incident.
  • Journal: Add notes and collaborate with other analysts.
  • Tasks: Create incident tasks and track them to closure.
  • Related Indicators: View indicators (alerts) that are related to the incident and add them to the incident if they are not associated with an incident.

You can also filter the data in the Incident Details view to study indicators and entities of interest.

Workflow

This workflow shows the high-level process that Incident Responders use to respond to incidents in NetWitness Suite.

Incident Details view workflow diagram

In the Incident Details view, you can use the extensive information provided about the incidents to determine which incidents require action. You also have the tools and information to investigate the incident, and then escalate or remediate it.

What do you want to do?

                                                                                             
Role I want to ...Show me how

Incident Responders, Analysts, and SOC Manager

View prioritized incidents, filter and sort the incident list, find incidents, view my incidents, and assign incidents to myself.

Review Prioritized Incident List

Incident Responders, AnalystsView incident details.*View Incident Details
Incident Responders, AnalystsView alerts and enrichments.*View the Indicators and Enrichments
Incident Responders, AnalystsView events.*View and Study the Events
Incident Responders, AnalystsView a graph of the entities involved in the events.*View and Study the Entities Involved in the Events
Incident Responders, AnalystsFilter the incident data.*Filter the Data in the Incident Details View
Incident Responders, AnalystsView and add incident notes.*View Incident Notes and Document Steps Taken Outside of NetWitness
Incident Responders, AnalystsView and create tasks.*View the Tasks associated with an Incident and Create a Task
Incident Responders, AnalystsAdd related alerts and add them to the incident.*Find Related Indicators and Add Related Indicators to the Incident
Incident Responders, AnalystsView contextual information about an incident from Context Hub.*View Contextual Information
Incident Responders, Analysts

Reduce false positives by adding an entity to the whitelist.*

Add an Entity to a Whitelist

Incident Responders, Analysts

Pivot to Investigation.*

Pivot to Investigate

Incident Responders, AnalystsPivot to NetWitness Endpoint.*Pivot to NetWitness Endpoint
Incident Responders, AnalystsUpdate or close an incident.*

Update an Incident and Close an Incident

Incident Responders, Analysts, and SOC ManagerView all tasks.

Escalate or Remediate the Incident

Incident Responders, Analysts, and SOC ManagerBulk update incidents and tasks.Escalate or Remediate the Incident

*You can complete these tasks here (that is in the Incident Details view).

Related Topics

Quick Look

The following example shows the locations of the Incident Details view panels.

Incident Details view Quick Look Diagram

                                 
1 Overview Panel (Click the OVERVIEW tab to view it.)
2 Indicators Panel
3 Nodal Graph
4 Events Datasheet (Click an event in the Events List to view Event Details.).
5 Journal Panel
6Tasks Panel (Click the TASKS tab to view it.)
7 Related Indicators Panel (Click the RELATED tab to view it.)

Overview Panel

The Overview panel shows basic summary information about a selected incident. It also allows you to change the incident name and update the incident priority, status, and assignee. The Overview panel in the Incidents List view contains the same information. The Incidents List view Overview Panel topic provides details.

Incident Details view Overview Panel

Indicators Panel

The Indicators panel contains a chronological listing of indicators. Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert. (This is different than a timeline, which provides a visual representation of the timing of the events in the incident). This listing helps you to connect indicators and notable data. For example, an IP address connected to a command and communication ESA alert might also have triggered a NetWitness Endpoint alert or other suspicious activities.

To view the Indicators panel, in the left panel of the Incident Details view, select INDICATORS.

Incident Details view Indicators panel

Data source information is shown below the names of the indicators. You can also see the creation date and time of the indicator and the number of events in the indicator.

Nodal Graph

The nodal graph is an interactive graph that shows the entities involved in the incident. An Entity is a specified piece of meta, such as IP address, MAC address, user, host, domain, file name, or file hash.

Nodal Graph example

Nodes

In the nodal graph, circles represent nodes. The following table describes the nodal graph node types.

                                        
NodeDescription

IP address

If the event is a detected anomaly, you can see a Detector IP. If the event is a transaction, you can see a Destination IP and a Source IP.

MAC address

You may see a MAC address for each type of IP address.

User

If the machine is associated with a user, you can see a user node.
HostA host can be physical equipment or a virtual machine, designated by a Fully Qualified Domain Name (FQDN) or IP address, on which any service is installed.

Domain

 

FilenameIf the event involves files, you can see a filename.

File Hash

If the event involves files, you may see a file hash.

The legend at the bottom of the nodal graph shows the number of nodes of each type and the color coding of the nodes. It also helps you to locate the entities when the values, such as the IP addresses, are hashed.

You can click any node and drag it to reposition it.

Arrows

The arrows between the nodes provide additional information about the entity relationships. The following table describes the nodal graph arrow types.

                                    
ArrowDescription
Communicates withAn arrow between a Source machine node (IP address or MAC address) and a Destination machine node labeled with "communicates with" shows the direction of the communication.
AsAn arrow between nodes labeled with "as" provides additional information about the IP address that the arrow points to. For example, if there is an arrow from the host node circle that points to an IP address node that is labeled with "as", it indicates that the name on the host node circle is the hostname of that IP address and is not a different entity.
Has fileAn Arrow between a machine node (IP address, MAC address, or Host) and a file hash node labeled with "has" indicates that the IP address has that file.
UsesAn arrow between a User node and a machine node (IP address, MAC address, or Host) labeled with "uses" shows the machine that the user was using during the event.
Is namedAn arrow from a File Hash node to a File Name node labeled with "is named" indicates that the file hash corresponds to a file with that name.
Belongs toAn arrow between two nodes labeled with "belongs to" indicates that they pertain to the same node. For example, an arrow between a MAC address and a Host labeled with "belongs to" indicates that it is the MAC address of the host.

Larger line size arrows indicate more communication between the nodes. Larger nodes (circles) indicate more activity than smaller nodes. The larger nodes are the most common entities mentioned in the events.

Events Datasheet

The Events datasheet shows the events associated with the incident. It shows information about the events, such as event time, source IP, destination IP, detector IP, source user, destination user, and file information about the events. The amount of information listed depends on the event type.

The Events datasheet shows an Events List for multiple events or Event Details for a single event.

Events List

The following figure shows the Events List.

Incident Details view Events List

The following table describes the columns in the Events list.

                                                                           

Column

Description

TIMEShows the time the event occurred.
TYPEShows the type of alert, such as Log and Network.
SOURCE IPShows the source IP address if there was a transaction between two machines.
SOURCE PORTShows the source port of the transaction. The source and destination ports can be on the same IP address.
SOURCE HOSTShows the destination host where the event took place.
SOURCE MACShows the MAC address of the source machine.
SOURCE USERShows the user of the source machine.
DESTINATION IPShows the destination IP address if there was a transaction between two machines
DESTINATION PORTShows the destination port of the transaction. The source and destination ports can be on the same IP address.
DESTINATION HOSTShows the HOST name of the destination machine.
DESTINATION MACShows the MAC address of the destination machine.
DESTINATION USERShows the user of the destination machine.
DETECTOR IPShows the IP address of the machine where an anomaly was detected.
FILE NAMEShows the file name if a file is involved with the event.
FILE HASHShows a hash of the file contents.

Event Details

To view the event details, you click an event in the event list. If there is only one event in the list, you will see the event details for that event instead of a list.

Incident Details view Event Details

Journal Panel

The incident Journal shows the history of activity on your incident.

Incident Details view Journal panel

The following table describes the New Journal Entry options.

                        
FieldDescription

New Journal Entry

Type your note in the field.

Milestone

(Optional) Select a milestone, if applicable. This field is used to track significant events for the incident.

Submit button

Click submit to add an entry to the journal. You journal entry will be visible to anyone who views the incident.

Tasks Panel

In the Tasks panel, you can manage and track the incident tasks to closure.

Incident Details view Tasks panel

The following table describes the Task fields.

                                                
FieldDescription

<Task ID / <Incident ID>

The autogenerated Task ID / The incident associated with the task.

CREATED

The created date of the task.

LAST UPDATED

The date that the task was last modified.

OPENEDThe time that passed since the task was opened. For example, 3 minutes ago or 2 days ago.

NAME

The name of the task. For example: Re-image the machine. You can click this field to edit it.

ASSIGNEEThe username of the user assigned to the task. You can click this field to edit it.

PRIORITY

The priority of the task: Low, Medium, High, or Critical. You can click the priority button and select a new priority for the task from the drop-down list.

STATUSThe status of the task: New, Assigned, In Progress, Remediated, Risk Accepted, and Not Applicable. You can click the status button and select a new status for the task from the drop-down list.

DESCRIPTION

Type information that describes the task. You may want to include any applicable reference numbers. You can click this field to edit it.

Related Indicators Panel

The Related Indicators panel enables you to search the NetWitness Suite alerts database to find alerts that are related to this incident. You can add alerts that you find to the incident if they are not already associated with an incident.

Incident Details view Related Indicators panel

The following table describes the fields in the search section at the top of the panel.

                                
FieldDescription

Find

Select the entity that you would like to locate in the alerts. For example, IP.

Value

Type the value of the entity. For example, type the actual IP address of the entity.

When

Select a time range to search for the alerts. For example, Last 24 hours.

Look in

Specify the type of entity to search:

  • Source: The source machine in a transaction between two machines.
  • Destination: The destination machine in a transaction between two machines.
  • Detector: A single machine where an anomaly was detected.
  • Domain: This option is available when you select Domain in the Find field.

For example, select Source to look for alerts where a certain IP address acted as the source device. You may want to do separate searches for each type of device: Source, Destination, and Detector.

Find button

Initiates the search. A list of related indicators appear below the Find button in the Indicators for section.

The following table describes the options in the Indicators for (results) section at the bottom of the panel.

                            
OptionDescription
Indicators For: Shows the search results.
Open in new window linkShows alert details for the indicator.

Add To Incident button

Adds the related indicator to the incident. The related indicator adds to the Indicators panel.

Part Of This Incident button

Shows that the indicator is already part of the incident.

Toolbar Actions

                                                 
OptionDescription
Back to Alerts icon (arrow pointing left)

(Back to Incidents) Enables you to navigate back to the Incidents List view.

Close (X) icon Closes the panel.

Trash can (delete) icon

Deletes the entry, such as a journal entry or task.

Priority button(In the Overview panel) Allows you to change the Priority of one or more selected incidents in the Incidents List.
Status button(In the Overview panel) Allows you to change the Status of one or more selected incidents.
Assignee button(In the Overview panel) Allows you to change the Assignee of one or more selected incidents.
View Graph icon
(View: Graph)
Enables you to view the Nodal Graph.
View Datasheet icon
(View: Datasheet)
Enables you to view the Events datasheet, which can appear as an Events List for multiple events or Event Details for a single event.
Journal, Tasks, and Related icon
(Journal, Tasks, and Related)
Enables you to view the Journal, Tasks, and Related Indicators panels.
Previous Topic:Incidents List View
Next Topic:Alerts List View
You are here
Table of Contents > NetWitness Respond Reference Information > Incidents Details View

Attachments

    Outcomes