In the Incident Details view (Respond > Incidents > click an ID or NAME hyperlink in the Incidents List), you can view and access extensive incident details. The Incident Details view contains multiple panels that provide the following benefits:
- Overview: View an incident summary and update the incident.
- Indicators: View the indicators (alerts) involved in the incident, the events within those alerts, and available enrichment information. You can also access Event Analysis details for some events and perform event reconnaissance.
- Related Indicators: View indicators (alerts) that are related to the incident and add them to the incident if they are not associated with an incident.
- Nodal Graph: Visualize the size and interactions between entities (IP address, MAC address, user, host, domain, file name, or file hash).
- Events List: Study the events associated with the incident.
- Journal: Add notes and collaborate with other analysts.
- Tasks: Create incident tasks and track them to closure.
You can also filter the data in the Incident Details view to study indicators and entities of interest.
This workflow shows the high-level process that Incident Responders use to respond to incidents in NetWitness Platform.
In the Incident Details view, you can use the extensive information provided about the incidents to determine which incidents require action. You also have the tools and information to investigate the incident, and then escalate or remediate it.
What do you want to do?
|Role||I want to ...||Show me how|
Incident Responders, Analysts, and SOC Manager
View prioritized incidents, filter and sort the incident list, find incidents, view my incidents, and assign incidents to myself.
|Incident Responders, Analysts||View incident details.*||View Incident Details|
|Incident Responders, Analysts||View alerts and enrichments.*||View the Indicators and Enrichments|
|Incident Responders, Analysts||View events.*||View and Study the Events|
|Incident Responders, Analysts (Additional permissions required)||View event analysis for an event.*||View Event Analysis Details for Indicators|
|Incident Responders, Analysts||View a graph of the entities involved in the events.*||View and Study the Entities Involved in the Events on the Nodal Graph|
|Incident Responders, Analysts||Filter the incident data.*||Filter the Data in the Incident Details View|
|Incident Responders, Analysts||View and add incident notes.*||View Incident Notes and Document Steps Taken Outside of NetWitness|
|Incident Responders, Analysts||View and create tasks.*||View the Tasks Associated with an Incident and Create a Task|
|Incident Responders, Analysts||Add related alerts and add them to the incident.*||Find Related Indicators and Add Related Indicators to the Incident|
|Incident Responders, Analysts||View contextual information about an incident from Context Hub.*||View Contextual Information|
|Incident Responders, Analysts||Reduce false positives by adding an entity to a whitelist.*||Add an Entity to a Whitelist|
|Incident Responders, Analysts||Pivot to NetWitness Investigate.*|
|Incident Responders, Analysts||Pivot to NetWitness Endpoint.*||Pivot to NetWitness Endpoint Thick Client|
|Incident Responders, Analysts, and SOC Manager||Send an incident to Archer Cyber Incident & Breach Response.*||Send an Incident to RSA Archer|
|Incident Responders, Analysts||Update or close an incident.*|
Incident Responders, Analysts, and SOC Manager
View all tasks.
Incident Responders, Analysts, and SOC Manager
Bulk update incidents and tasks.
|Escalate or Remediate the Incident|
*You can complete these tasks here (that is, in the Incident Details view).
- Incidents List View
- Determine which Incidents Require Action
- Investigate the Incident
- Escalate or Remediate the Incident
The following example shows the locations of the Incident Details view panels.
|1||Overview (Click the Overview tab to view the Overview panel.)|
|3||Related Indicators Panel (Click the Find Related tab to view it.)|
|5||Events List (Click the top of an event in the Events List to view event details.)|
|7||Tasks Panel (Click the Tasks tab to view it.)|
|8||Events (Click an event type hyperlink in the Indicators panel, such as Network, to view the Events view from Investigate for a specific indicator event.)|
|9||UEBA (Click a User Entity Behavior Analytics hyperlink in the Indicators panel to view UEBA.)|
The Overview panel shows basic summary information about a selected incident. It also allows you to change the incident name and update the incident priority, status, and assignee. The Overview panel in the Incidents List view contains the same information. The Incidents List view Incident Overview Panel topic provides details.
To view the Overview panel in the Incident Details view, click the Overview tab in the left panel.
The Indicators panel contains a chronological listing of indicators. Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert. (This is different than a timeline, which provides a visual representation of the timing of the events in the incident). This listing helps you to connect indicators and notable data. For example, an IP address connected to a command and communication ESA alert might also have triggered a NetWitness Endpoint alert or other suspicious activities.
To view the Indicators panel, in the left panel of the Incident Details view, click the Indicators tab.
Data source information is shown below the names of the indicators. You can also see the creation date and time of the indicator and the number of events in the indicator. In the Indicators panel, you can drill deeper into the events associated with the listed indicators to get a better understanding of the events.
Related Indicators Panel
The Related Indicators panel enables you to search the NetWitness Platform alerts database to find alerts that are related to this incident. You can add alerts that you find to the incident if they are not already associated with an incident.
To view the Related Indicators panel, in the left panel of the Incident Details view, click the Find Related tab.
The following table describes the fields in the search section at the top of the panel.
Select the entity that you would like to locate in the alerts. For example, IP.
Type the value of the entity. For example, type the actual IP address of the entity.
Select a time range to search for the alerts. For example, Last 24 hours.
Initiates the search. A list of related indicators appear below the Find button in the Indicators for section.
The following table describes the options in the Indicators for (results) section at the bottom of the panel.
|Indicators For:||Shows the search results.|
Open in new window link
|Shows alert details for the indicator.|
Add To Incident button
Adds the related indicator to the incident. The related indicator adds to the Indicators panel.
Part Of This Incident button
Shows that the indicator is already part of the incident.
You can perform an event analysis from the Indicators panel. Event counts preceded by an EA (event analysis) icon have event reconnaissance information available: . You can select an event type hyperlink, such as Network, to access the Events panel for the selected event.
In the Events panel, you can view raw events and metadata with interactive features that enhance your ability to find meaningful patterns in the data. You can examine network, log, and endpoint events. The Events panel in the Respond view shows the Events view from Investigate for specific indicator events. For detailed information about the Events view, see the NetWitness Investigate User Guide.
User Entity Behavior Analytics
RSA NetWitness UEBA (User and Entity Behavior Analytics) is an advanced analytics solution for discovering, investigating, and monitoring risky behaviors across all users and entities in your network environment. You can access UEBA from the Respond Incident Details view Indicators panel. Indicators with a User Entity Behavior Analytics hyperlink have additional UEBA information available. For detailed information about UEBA, see the NetWitness UEBA User Guide.
The nodal graph is an interactive graph that shows the entities involved in the incident. An Entity is represented by an IP address, MAC address, user, host, domain, file name, or file hash.
In the nodal graph, circles represent nodes. The following table describes the nodal graph node types.
|If the event is a detected anomaly, you can see a Detector IP. If the event is a transaction, you can see a Destination IP and a Source IP.|
|You may see a MAC address for each type of IP address.|
|If the machine is associated with a user, you can see a user node.|
|Host||A host can be physical equipment or a virtual machine, designated by a Fully Qualified Domain Name (FQDN) or IP address, on which any service is installed.|
|Domain||If a host is associated with a domain, you can see a domain node.|
|Filename||If the event involves files, you can see a filename.|
|If the event involves files, you may see a file hash.|
The legend at the bottom of the nodal graph shows the number of nodes of each type and the color coding of the nodes. It also helps you to locate the entities when the values, such as the IP addresses, are hashed.
You can click any node and drag it to reposition it.
In NetWitness Platform Version 11.2 and later, you can select the node types that you want to view by clearing or selecting the checkboxes in the legend. The following figure shows an example nodal graph legend with all node types selected except IP.
The arrows between the nodes provide additional information about the entity relationships. The following table describes the nodal graph arrow types.
|Communicates with||An arrow between a Source machine node (IP address or MAC address) and a Destination machine node labeled with "communicates with" shows the direction of the communication.|
|Has file||An Arrow between a machine node (IP address, MAC address, or Host) and a file hash node labeled with "has file " indicates that the IP address has that file.|
|Uses||An arrow between a User node and a machine node (IP address, MAC address, or Host) labeled with "uses" shows the machine that the user was using during the event.|
(This arrow is available in NetWitness Platform 11.4 and later.) An arrow between two file hash (checksum) nodes labeled with "calls" indicates the direction of the interaction between the associated files. The source file hash "calls" the target (destination) file hash, which indicates that the source file associated with the source file hash is performing an action on the target file associated with the target file hash.
(This relationship type represents attributes of the connected node.) An arrow between nodes labeled with "as" provides additional information about the IP address that the arrow points to. For example, if there is an arrow from the host node circle that points to an IP address node that is labeled with "as", it indicates that the name on the host node circle is the hostname of that IP address and is not a different entity.
|Is named||(This relationship type represents attributes of the connected node.) An arrow from a File Hash node to a File Name node labeled with "is named" indicates that the file hash corresponds to a file with that name.|
(This relationship type represents attributes of the connected node.) An arrow between two nodes labeled with "belongs to" indicates that they pertain to the same node. For example, an arrow between a MAC address and a Host labeled with "belongs to" indicates that it is the MAC address of the host.
Larger line size arrows indicate more communication between the nodes. Larger nodes (circles) indicate more activity than smaller nodes. The larger nodes are the most common entities mentioned in the events.
The Events List shows the events associated with the incident. It shows information about the events, such as event time, source IP, destination IP, detector IP, source user, target user, and file information about the events. The amount of information listed depends on the event type. The maximum number of events displayed in the Events List is 1,000.
The following figure shows an Events List for network events.
Each event has a header row with the following information:
- Risk score: This is the risk score of the indicator (alert) that contains the event.
- Title: This is the name of the event.
- (Event x of x): This indicates the number of the event out of the total number of events in the indicator.
For example, the following event header shows that this event is event 2 of 2 for an indicator (alert) that has a risk score of 90. The event name is In Program Data Followed by SSL Over Non Standard Port.
The following table describes the fields in the Events List for network or log events.
|EVENT TIME||Shows the time the event occurred.|
|EVENT TYPE||Shows the type of alert, such as Log and Network.|
Shows the IP address of the machine where an anomaly was detected
|FILE NAME||Shows the file name if a file is involved with the event.|
Shows a hash of the file contents.
|SOURCE IP||Shows the source IP address if there was a transaction between two machines.|
Shows the source port of the transaction. The source and destination ports can be on the same IP address.
|SOURCE HOST||Shows the destination host where the event took place.|
Shows the MAC address of the source machine.
|SOURCE USER||Shows the user of the source machine.|
Shows the destination IP address if there was a transaction between two machines
|TARGET PORT||Shows the destination port of the transaction. The source and destination ports can be on the same IP address.|
Shows the HOST name of the destination machine.
|TARGET MAC||Shows the MAC address of the destination machine.|
Shows the user of the destination machine.
The following figure shows an Events List for NetWitness Endpoint events.
The following table describes the fields in the Events List for NetWitness Endpoint events. NetWitness Endpoint events have an Endpoint Event Type and an nwendpoint Device Type. NetWitness Endpoint events from version 4.4.x and earlier can have an Event Type that shows the origin of the event.
|EVENT TIME||Shows the time the event occurred.|
|EVENT TYPE||Shows the type of alert, such as Endpoint or Log. NetWitness Endpoint events have an Endpoint event type. NetWitness Endpoint events from version 4.4.x and earlier can have an Event Type that shows the origin of the event.|
|CATEGORY||Shows the NetWitness Endpoint category.|
|ACTION||Shows the action that the file performed.|
|HOSTNAME||Shows the name of the machine that is running the agent.|
|USER ACCOUNT||Shows the username of the actively logged in user.|
|OPERATING SYSTEM||Shows the operating system of the agent.|
|FILE HASH||Shows the checksum of the file.|
|SOURCE FILENAME||Shows the name of the source file.|
|SOURCE LAUNCH ARGUMENT||Shows the command line argument for the running process.|
|SOURCE PATH||Shows the path of the source file.|
|SOURCE HASH||Shows the checksum of the source file.|
|SOURCE IP ADDRESS||Shows the IP address of the agent.|
|SOURCE PORT||Shows the source port of the connection.|
|TARGET FILENAME||Shows the name of the target file.|
|TARGET LAUNCH ARGUMENT||Shows the command line argument for the running process.|
|TARGET PATH||Shows the path of the target file.|
|TARGET HASH||Shows the checksum of the target file.|
|TARGET IP ADDRESS||Shows the destination IP address of this NetWitness Platform activity.|
|TARGET PORT||Shows the destination port of the connection.|
|EVENT SOURCE||Shows the hostname or IP address along with the port of the of the Core service that holds the event information.|
|DEVICE TYPE||Shows the type of the device from which the data is sent or collected. For example, it shows nwendpoint for NetWitness Endpoint.|
To view the event details, you can click the top of an event in the Events List. The details appear below the event. Viewing inline event details enables you to keep the context of the event as it relates to the other events.
The following figure shows an indicator (alert) selected in the Indicators panel. The events for that indicator appear in the Events List on the right.
The following figure shows a specific indicator event selected in the Indicators panel. Information about the selected event appears in the Events List on the right.
The incident Journal shows the history of activity on your incident.
The following table describes the New Journal Entry options.
|New Journal Entry||Type your note in the field.|
|Milestone||(Optional) Select a milestone, if applicable. This field is used to track significant events for the incident.|
|Submit button||Click submit to add an entry to the journal. You journal entry will be visible to anyone who views the incident.|
In the Tasks panel, you can manage and track the incident tasks to closure.
The following table describes the Task fields.
|<Task ID / <Incident ID>||The autogenerated Task ID / The incident associated with the task.|
|Created||The created date of the task.|
|Last Updated||The date that the task was last modified.|
|Opened||The time that passed since the task was opened. For example, 3 minutes ago or 2 days ago.|
|Name||The name of the task. For example: Re-image the machine. You can click this field to edit it.|
|Assignee||The username of the user assigned to the task. You can click this field to edit it.|
|Priority||The priority of the task: Low, Medium, High, or Critical. You can click the priority button and select a new priority for the task from the drop-down list.|
|Status||The status of the task: New, Assigned, In Progress, Remediated, Risk Accepted, and Not Applicable. You can click the status button and select a new status for the task from the drop-down list.|
|Description||Type information that describes the task. You may want to include any applicable reference numbers. You can click this field to edit it.|