Respond: Incident Details View

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Apr 11, 2019
Version 10Show Document
  • View in full screen mode
  

In the Incident Details view (RESPOND > Incidents > click an ID or NAME hyperlink in the Incidents List), you can view and access extensive incident details. The Incident Details view contains multiple panels that provide the following benefits:

  • Overview: View an incident summary and update the incident.
  • Indicators: View the indicators (alerts) involved in the incident, the events within those alerts, and available enrichment information. You can also access Event Analysis details for some events and perform event reconnaissance.
  • Nodal Graph: Visualize the size and interactions between entities (IP address, MAC address, user, host, domain, file name, or file hash).
  • Events List: Study the events associated with the incident.
  • Journal: Add notes and collaborate with other analysts.
  • Tasks: Create incident tasks and track them to closure.
  • Related Indicators: View indicators (alerts) that are related to the incident and add them to the incident if they are not associated with an incident.

You can also filter the data in the Incident Details view to study indicators and entities of interest.

Workflow

This workflow shows the high-level process that Incident Responders use to respond to incidents in NetWitness Platform.

Incident Details view workflow diagram

In the Incident Details view, you can use the extensive information provided about the incidents to determine which incidents require action. You also have the tools and information to investigate the incident, and then escalate or remediate it.

What do you want to do?

                                                                                                       
RoleI want to ...Show me how

Incident Responders, Analysts, and SOC Manager

View prioritized incidents, filter and sort the incident list, find incidents, view my incidents, and assign incidents to myself.

Review Prioritized Incident List

Incident Responders, AnalystsView incident details.*View Incident Details
Incident Responders, AnalystsView alerts and enrichments.*View the Indicators and Enrichments
Incident Responders, AnalystsView events.*View and Study the Events
Incident Responders, Analysts (Additional permissions required)View Event Analysis for an event.*View Event Analysis Details for Indicators
Incident Responders, AnalystsView a graph of the entities involved in the events.*View and Study the Entities Involved in the Events
Incident Responders, AnalystsFilter the incident data.*Filter the Data in the Incident Details View
Incident Responders, AnalystsView and add incident notes.*View Incident Notes and Document Steps Taken Outside of NetWitness
Incident Responders, AnalystsView and create tasks.*View the Tasks associated with an Incident and Create a Task
Incident Responders, AnalystsAdd related alerts and add them to the incident.*Find Related Indicators and Add Related Indicators to the Incident
Incident Responders, AnalystsView contextual information about an incident from Context Hub.*View Contextual Information
Incident Responders, AnalystsReduce false positives by adding an entity to a whitelist.*Add an Entity to a Whitelist
Incident Responders, AnalystsPivot to NetWitness Investigate.*

Pivot to Investigate > Navigate

Incident Responders, AnalystsPivot to NetWitness Endpoint.*Pivot to NetWitness Endpoint Thick Client
Incident Responders, Analysts, and SOC ManagerSend an incident to Archer Cyber Incident & Breach Response.*Send an Incident to RSA Archer
Incident Responders, AnalystsUpdate or close an incident.*

Update an Incident and Close an Incident

Incident Responders, Analysts, and SOC Manager

View all tasks.

Escalate or Remediate the Incident

Incident Responders, Analysts, and SOC Manager

Bulk update incidents and tasks.

Escalate or Remediate the Incident

*You can complete these tasks here (that is in the Incident Details view).

Related Topics

Quick Look

The following example shows the locations of the Incident Details view panels.

Incident Details view Quick Look Diagram

Incident Details view Quick Look Diagram showing Event Analysis in the Respond view

Incident Details view Quick Look Diagram showing UEBA in the Respond view

                                         
1 Overview Panel (Click the OVERVIEW tab to view it.)
2 Indicators Panel
3 Nodal Graph
4 Events List (Click the top of an event in the Events List to view event details.).
5 Journal Panel
6Tasks Panel (Click the TASKS tab to view it.)
7 Related Indicators Panel (Click the RELATED tab to view it.)
8Event Analysis (Click an event type hyperlink in the Indicators panel to view the Event Analysis.)
9UEBA (Click a User Entity Behavior Analytics hyperlink in the Indicators panel to view UEBA.)

Overview Panel

The Overview panel shows basic summary information about a selected incident. It also allows you to change the incident name and update the incident priority, status, and assignee. The Overview panel in the Incidents List view contains the same information. The Incidents List view Overview Panel topic provides details.

Incident Details view Overview Panel

Indicators Panel

The Indicators panel contains a chronological listing of indicators. Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert. (This is different than a timeline, which provides a visual representation of the timing of the events in the incident). This listing helps you to connect indicators and notable data. For example, an IP address connected to a command and communication ESA alert might also have triggered a NetWitness Endpoint alert or other suspicious activities.

To view the Indicators panel, in the left panel of the Incident Details view, select INDICATORS.

Incident Details view Indicators panel

Data source information is shown below the names of the indicators. You can also see the creation date and time of the indicator and the number of events in the indicator. In the Indicators panel, you can drill deeper into the events associated with the listed indicators to get a better understanding of the events.

Note: The maximum number of indicators (alerts) displayed in the Indicators panel is 1,000.

Event Analysis

You can perform an Event Analysis from the Indicators panel. Events preceded by an EA (Event Analysis) have event reconnaissance information available: Event with EA icon visible. You can select an event type hyperlink, such as Network, to access an event analysis for the selected event.

In the Event Analysis panel, you can view raw events and metadata with interactive features that enhance your ability to find meaningful patterns in the data. You can examine network, log, and endpoint events. The Event Analysis panel in the Respond view shows the Event Analysis view from Investigate for specific indicator events. For detailed information about the Event Analysis view, see the NetWitness Investigate User Guide.

Event Analysis panel in the Respond Incident Details view

Note: Migrated incidents from NetWitness Platform versions before 11.2 will not show the Event Analysis panel in the Respond Incident Details view Indicators panel. Likewise, if you use alerts that were migrated from versions before 11.2 to create incidents in 11.3, you will also not be able to view the Event Analysis panel in the Respond view for those incidents.

User Entity Behavior Analytics

RSA NetWitness UEBA (User and Entity Behavior Analytics) is an advanced analytics solution for discovering, investigating, and monitoring risky behaviors across all users and entities in your network environment. You can access UEBA from the Respond Incident Details view Indicators panel. Indicators with a User Entity Behavior Analytics hyperlink have additional UEBA information available. For detailed information about UEBA, see the NetWitness UEBA User Guide.

UEBA in the Respond Incident Details view

Nodal Graph

The nodal graph is an interactive graph that shows the entities involved in the incident. An Entity is a specified piece of meta, such as IP address, MAC address, user, host, domain, file name, or file hash.

Nodal Graph example

Nodal graph showing a single user

Nodes

In the nodal graph, circles represent nodes. The following table describes the nodal graph node types.

                                        
NodeDescription

IP address

If the event is a detected anomaly, you can see a Detector IP. If the event is a transaction, you can see a Destination IP and a Source IP.

MAC address

You may see a MAC address for each type of IP address.

User

If the machine is associated with a user, you can see a user node.
HostA host can be physical equipment or a virtual machine, designated by a Fully Qualified Domain Name (FQDN) or IP address, on which any service is installed.

Domain

 

FilenameIf the event involves files, you can see a filename.

File Hash

If the event involves files, you may see a file hash.

The legend at the bottom of the nodal graph shows the number of nodes of each type and the color coding of the nodes. It also helps you to locate the entities when the values, such as the IP addresses, are hashed.

You can click any node and drag it to reposition it.

In NetWitness Platform version 11.2 and later, you can select the node types that you want to view by clearing or selecting the checkboxes in the legend. The following figure shows an example nodal graph legend with all node types selected except IP.
Nodal Graph legend with all node types selected except IP

Arrows

The arrows between the nodes provide additional information about the entity relationships. The following table describes the nodal graph arrow types.

                                    
ArrowDescription
Communicates withAn arrow between a Source machine node (IP address or MAC address) and a Destination machine node labeled with "communicates with" shows the direction of the communication.
AsAn arrow between nodes labeled with "as" provides additional information about the IP address that the arrow points to. For example, if there is an arrow from the host node circle that points to an IP address node that is labeled with "as", it indicates that the name on the host node circle is the hostname of that IP address and is not a different entity.
Has fileAn Arrow between a machine node (IP address, MAC address, or Host) and a file hash node labeled with "has" indicates that the IP address has that file.
UsesAn arrow between a User node and a machine node (IP address, MAC address, or Host) labeled with "uses" shows the machine that the user was using during the event.
Is namedAn arrow from a File Hash node to a File Name node labeled with "is named" indicates that the file hash corresponds to a file with that name.
Belongs toAn arrow between two nodes labeled with "belongs to" indicates that they pertain to the same node. For example, an arrow between a MAC address and a Host labeled with "belongs to" indicates that it is the MAC address of the host.

Larger line size arrows indicate more communication between the nodes. Larger nodes (circles) indicate more activity than smaller nodes. The larger nodes are the most common entities mentioned in the events.

Events List

The Events List shows the events associated with the incident. It shows information about the events, such as event time, source IP, destination IP, detector IP, source user, target user, and file information about the events. The amount of information listed depends on the event type. The maximum number of events displayed in the Events List is 1,000.

The following figure shows an Events List for network events.

Incident Details view Events List for network events

Each event has a header row with the following information:

  • Risk score: This is the risk score of the indicator (alert) that contains the event.
  • Title: This is the name of the event.
  • Event x of x: This indicates the number of the event out of the total number of events in the indicator.

For example, the following event header shows that this event is event 2 of 2 for an indicator (alert) that has a risk score of 90. The event name is In Program Data Followed by SSL Over Non Standard Port.
Event Header showing risk score, name, and the event number of the total number of alerts in the indicator.

The following table describes the fields in the Events List for network or log events.

                                                                                                       

Field

Description

EVENT TIMEShows the time the event occurred.
EVENT TYPEShows the type of alert, such as Log and Network.
DETECTOR IPShows the IP address of the machine where an anomaly was detected.
FILE NAMEShows the file name if a file is involved with the event.
FILE HASHShows a hash of the file contents.
SOURCE IPShows the source IP address if there was a transaction between two machines.
SOURCE PORTShows the source port of the transaction. The source and destination ports can be on the same IP address.
SOURCE HOSTShows the destination host where the event took place.
SOURCE MACShows the MAC address of the source machine.
SOURCE USERShows the user of the source machine.
TARGET IPShows the destination IP address if there was a transaction between two machines
TARGET PORTShows the destination port of the transaction. The source and destination ports can be on the same IP address.
TARGET HOSTShows the HOST name of the destination machine.
TARGET MACShows the MAC address of the destination machine.
TARGET USERShows the user of the destination machine.

The following figure shows an Events List for NetWitness Endpoint events.

Incident Details view Events List for NetWitness Endpont events

The following table describes the fields in the Events List for NetWitness Endpoint events. NetWitness Endpoint events have an Endpoint Event Type and an nwendpoint Device Type. NetWitness Endpoint events from version 4.4.x and earlier can have an Event Type that shows the origin of the event.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

Field

Description

EVENT TIMEShows the time the event occurred.
EVENT TYPEShows the type of alert, such as Endpoint or Log. NetWitness Endpoint events have an Endpoint event type. NetWitness Endpoint events from version 4.4.x and earlier can have an Event Type that shows the origin of the event.
CATEGORY

Shows the NetWitness Endpoint category.

ACTIONShows the action that the file performed.

HOSTNAME

Shows the name of the machine that is running the agent.

USER ACCOUNTShows the username of the actively logged in user.

OPERATING SYSTEM

Shows the operating system of the agent.

FILE HASHShows the checksum of the file.

SOURCE FILENAME

Shows the name of the source file.

SOURCE LAUNCH ARGUMENT

Shows the command line argument for the running process.

SOURCE PATH

Shows the path of the source file.

SOURCE HASHShows the checksum of the source file.

SOURCE IP ADDRESS

Shows the IP address of the agent.

SOURCE PORT

Shows the source port of the connection.

TARGET FILENAME

Shows the name of the target file.

TARGET LAUNCH ARGUMENT

Shows the command line argument for the running process.

TARGET PATH

Shows the path of the target file.

TARGET HASHShows the checksum of the target file.

TARGET IP ADDRESS

Shows the destination IP address of this NetWitness Platform activity.

TARGET PORT

Shows the destination port of the connection.

EVENT SOURCEShows the hostname or IP address along with the port of the of the Core service that holds the event information.

DEVICE TYPE

Shows the type of the device from which the data is sent or collected. For example, it shows nwendpoint for NetWitness Endpoint.

Event Details

To view the event details, you can click the top of an event in the Events List. The details appear below the event. Viewing inline event details enables you to keep the context of the event as it relates to the other events.

The following figure shows an indicator (alert) selected in the Indicators panel. The events for that indicator appear in the Events List on the right. You can see the event details below the selected event.

Indicator Event Details

The following figure shows a specific indicator event selected in the Indicators panel. Information about the selected event appears in the Events List on the right. You can see the event details below the selected event in the list.

Event details shown for a selected indicator event

Journal Panel

The incident Journal shows the history of activity on your incident.

Incident Details view Journal panel

The following table describes the New Journal Entry options.

                        
FieldDescription

New Journal Entry

Type your note in the field.

Milestone

(Optional) Select a milestone, if applicable. This field is used to track significant events for the incident.

Submit button

Click submit to add an entry to the journal. You journal entry will be visible to anyone who views the incident.

Tasks Panel

In the Tasks panel, you can manage and track the incident tasks to closure.

Incident Details view Tasks panel

The following table describes the Task fields.

                                                
FieldDescription

<Task ID / <Incident ID>

The autogenerated Task ID / The incident associated with the task.

CREATED

The created date of the task.

LAST UPDATED

The date that the task was last modified.

OPENEDThe time that passed since the task was opened. For example, 3 minutes ago or 2 days ago.

NAME

The name of the task. For example: Re-image the machine. You can click this field to edit it.

ASSIGNEEThe username of the user assigned to the task. You can click this field to edit it.

PRIORITY

The priority of the task: Low, Medium, High, or Critical. You can click the priority button and select a new priority for the task from the drop-down list.

STATUSThe status of the task: New, Assigned, In Progress, Remediated, Risk Accepted, and Not Applicable. You can click the status button and select a new status for the task from the drop-down list.

DESCRIPTION

Type information that describes the task. You may want to include any applicable reference numbers. You can click this field to edit it.

Related Indicators Panel

The Related Indicators panel enables you to search the NetWitness Platform alerts database to find alerts that are related to this incident. You can add alerts that you find to the incident if they are not already associated with an incident.

Incident Details view Related Indicators panel

The following table describes the fields in the search section at the top of the panel.

                            
FieldDescription

Find

Select the entity that you would like to locate in the alerts. For example, IP.

Value

Type the value of the entity. For example, type the actual IP address of the entity.

When

Select a time range to search for the alerts. For example, Last 24 hours.

Find button

Initiates the search. A list of related indicators appear below the Find button in the Indicators for section.

The following table describes the options in the Indicators for (results) section at the bottom of the panel.

                            
OptionDescription
Indicators For: Shows the search results.
Open in new window linkShows alert details for the indicator.

Add To Incident button

Adds the related indicator to the incident. The related indicator adds to the Indicators panel.

Part Of This Incident button

Shows that the indicator is already part of the incident.

Toolbar Actions

                                                     
OptionDescription
Back to Alerts icon (arrow pointing left)

(Back to Incidents) Enables you to navigate back to the Incidents List view.

Close (X) icon Closes the panel.

Trash can (delete) icon

Deletes the entry, such as a journal entry or task.

Priority button(In the Overview panel) Allows you to change the Priority of one or more selected incidents in the Incidents List.
Status button(In the Overview panel) Allows you to change the Status of one or more selected incidents.
Assignee button(In the Overview panel) Allows you to change the Assignee of one or more selected incidents.
Nodal Graph icon Enables you to view the Nodal Graph.
Nodal Graph iconEnables you to view the incident Events List. Clicking the top of an event enables you to view the event details below it.
Journal, Tasks, and Related icon
(Journal, Tasks, and Related)
Enables you to view the Journal, Tasks, and Related Indicators panels.
Show / Hide icons in the Event Analysis panel for Header, Request, Response, and Meta Enables you to show or hide the Header, Request, Response, or Meta in the Event Analysis panel in the Respond Incident Details view. For more information about Event Analysis, see the Event Analysis view in the NetWitness Investigate User Guide.

Previous Topic:Incidents List View
Next Topic:Alerts List View
You are here
Table of Contents > NetWitness Respond Reference Information > Incident Details View

Attachments

    Outcomes