In the Incident Details view (RESPOND > Incidents > click an ID or NAME hyperlink in the Incidents List), you can view and access extensive incident details. The Incident Details view contains multiple panels that provide the following benefits:
- Overview: View an incident summary and update the incident.
- Indicators: View the indicators (alerts) involved in the incident, the events within those alerts, and available enrichment information. You can also access Event Analysis details for some events and perform event reconnaissance.
- Nodal Graph: Visualize the size and interactions between entities (IP address, MAC address, user, host, domain, file name, or file hash).
- Events Datasheet: Study the events associated with the incident.
- Journal: Add notes and collaborate with other analysts.
- Tasks: Create incident tasks and track them to closure.
- Related Indicators: View indicators (alerts) that are related to the incident and add them to the incident if they are not associated with an incident.
You can also filter the data in the Incident Details view to study indicators and entities of interest.
This workflow shows the high-level process that Incident Responders use to respond to incidents in NetWitness Platform.
In the Incident Details view, you can use the extensive information provided about the incidents to determine which incidents require action. You also have the tools and information to investigate the incident, and then escalate or remediate it.
What do you want to do?
*You can complete these tasks here (that is in the Incident Details view).
- Incidents List View
- Determine which Incidents Require Action
- Investigate the Incident
- Escalate or Remediate the Incident
The following example shows the locations of the Incident Details view panels.
|1||Overview Panel (Click the OVERVIEW tab to view it.)|
|4||Events Datasheet (Click an event in the Events List to view Event Details.).|
|6||Tasks Panel (Click the TASKS tab to view it.)|
|7||Related Indicators Panel (Click the RELATED tab to view it.)|
|8||Event Analysis Panel (Click an event type hyperlink in the Indicators panel to view the Event Analysis.)|
The Overview panel shows basic summary information about a selected incident. It also allows you to change the incident name and update the incident priority, status, and assignee. The Overview panel in the Incidents List view contains the same information. The Incidents List view Overview Panel topic provides details.
The Indicators panel contains a chronological listing of indicators. Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert. (This is different than a timeline, which provides a visual representation of the timing of the events in the incident). This listing helps you to connect indicators and notable data. For example, an IP address connected to a command and communication ESA alert might also have triggered a NetWitness Endpoint alert or other suspicious activities.
To view the Indicators panel, in the left panel of the Incident Details view, select INDICATORS.
Data source information is shown below the names of the indicators. You can also see the creation date and time of the indicator and the number of events in the indicator. In the Indicators panel, you can drill deeper into the events associated with the listed indicators to get a better understanding of the events.
You can perform an Event Analysis from the Indicators panel. Events preceded by an EA (Event Analysis) have event reconnaissance information available: . You can select an event type hyperlink, such as Network, to access an event analysis for the selected event.
In the Event Analysis panel, you can view raw events and metadata with interactive features that enhance your ability to find meaningful patterns in the data. You can examine network, log, and endpoint events. The Event Analysis panel in the Respond view shows the Event Analysis view from Investigate for specific indicator events. For detailed information about the Event Analysis view, see the NetWitness Investigate User Guide.
The nodal graph is an interactive graph that shows the entities involved in the incident. An Entity is a specified piece of meta, such as IP address, MAC address, user, host, domain, file name, or file hash.
In the nodal graph, circles represent nodes. The following table describes the nodal graph node types.
The legend at the bottom of the nodal graph shows the number of nodes of each type and the color coding of the nodes. It also helps you to locate the entities when the values, such as the IP addresses, are hashed.
You can click any node and drag it to reposition it.
In NetWitness Platform version 11.2 and later, you can select the node types that you want to view by clearing or selecting the checkboxes in the legend. The following figure shows an example nodal graph legend with all node types selected except IP.
The arrows between the nodes provide additional information about the entity relationships. The following table describes the nodal graph arrow types.
Larger line size arrows indicate more communication between the nodes. Larger nodes (circles) indicate more activity than smaller nodes. The larger nodes are the most common entities mentioned in the events.
The Events datasheet shows the events associated with the incident. It shows information about the events, such as event time, source IP, destination IP, detector IP, source user, destination user, and file information about the events. The amount of information listed depends on the event type.
The Events datasheet shows an Events List for multiple events or Event Details for a single event.
The following figure shows the Events List.
The following table describes the columns in the Events list.
To view the event details, you click an event in the event list. If there is only one event in the list, you see only the event details for that event instead of a list.
The incident Journal shows the history of activity on your incident.
The following table describes the New Journal Entry options.
In the Tasks panel, you can manage and track the incident tasks to closure.
The following table describes the Task fields.
Related Indicators Panel
The Related Indicators panel enables you to search the NetWitness Platform alerts database to find alerts that are related to this incident. You can add alerts that you find to the incident if they are not already associated with an incident.
The following table describes the fields in the search section at the top of the panel.
The following table describes the options in the Indicators for (results) section at the bottom of the panel.