In the Incident Details view (RESPOND > Incidents > click an ID or NAME hyperlink in the Incidents List), you can view and access extensive incident details. The Incident Details view contains multiple panels that provide the following benefits:
- Overview: View an incident summary and update the incident.
- Indicators: View the indicators (alerts) involved in the incident, the events within those alerts, and available enrichment information. You can also access Event Analysis details for some events and perform event reconnaissance.
- Nodal Graph: Visualize the size and interactions between entities (IP address, MAC address, user, host, domain, file name, or file hash).
- Events List: Study the events associated with the incident.
- Journal: Add notes and collaborate with other analysts.
- Tasks: Create incident tasks and track them to closure.
- Related Indicators: View indicators (alerts) that are related to the incident and add them to the incident if they are not associated with an incident.
You can also filter the data in the Incident Details view to study indicators and entities of interest.
This workflow shows the high-level process that Incident Responders use to respond to incidents in NetWitness Platform.
In the Incident Details view, you can use the extensive information provided about the incidents to determine which incidents require action. You also have the tools and information to investigate the incident, and then escalate or remediate it.
What do you want to do?
*You can complete these tasks here (that is in the Incident Details view).
- Incidents List View
- Determine which Incidents Require Action
- Investigate the Incident
- Escalate or Remediate the Incident
The following example shows the locations of the Incident Details view panels.
|1||Overview Panel (Click the OVERVIEW tab to view it.)|
|4||Events List (Click the top of an event in the Events List to view event details.).|
|6||Tasks Panel (Click the TASKS tab to view it.)|
|7||Related Indicators Panel (Click the RELATED tab to view it.)|
|8||Event Analysis (Click an event type hyperlink in the Indicators panel to view the Event Analysis.)|
|9||UEBA (Click a User Entity Behavior Analytics hyperlink in the Indicators panel to view UEBA.)|
The Overview panel shows basic summary information about a selected incident. It also allows you to change the incident name and update the incident priority, status, and assignee. The Overview panel in the Incidents List view contains the same information. The Incidents List view Overview Panel topic provides details.
The Indicators panel contains a chronological listing of indicators. Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert. (This is different than a timeline, which provides a visual representation of the timing of the events in the incident). This listing helps you to connect indicators and notable data. For example, an IP address connected to a command and communication ESA alert might also have triggered a NetWitness Endpoint alert or other suspicious activities.
To view the Indicators panel, in the left panel of the Incident Details view, select INDICATORS.
Data source information is shown below the names of the indicators. You can also see the creation date and time of the indicator and the number of events in the indicator. In the Indicators panel, you can drill deeper into the events associated with the listed indicators to get a better understanding of the events.
You can perform an Event Analysis from the Indicators panel. Event counts preceded by an EA (Event Analysis) icon have event reconnaissance information available: . You can select an event type hyperlink, such as Network, to access an event analysis for the selected event.
In the Event Analysis panel, you can view raw events and metadata with interactive features that enhance your ability to find meaningful patterns in the data. You can examine network, log, and endpoint events. The Event Analysis panel in the Respond view shows the Event Analysis view from Investigate for specific indicator events. For detailed information about the Event Analysis view, see the NetWitness Investigate User Guide.
User Entity Behavior Analytics
RSA NetWitness UEBA (User and Entity Behavior Analytics) is an advanced analytics solution for discovering, investigating, and monitoring risky behaviors across all users and entities in your network environment. You can access UEBA from the Respond Incident Details view Indicators panel. Indicators with a User Entity Behavior Analytics hyperlink have additional UEBA information available. For detailed information about UEBA, see the NetWitness UEBA User Guide.
The nodal graph is an interactive graph that shows the entities involved in the incident. An Entity is a specified piece of meta, such as IP address, MAC address, user, host, domain, file name, or file hash.
In the nodal graph, circles represent nodes. The following table describes the nodal graph node types.
The legend at the bottom of the nodal graph shows the number of nodes of each type and the color coding of the nodes. It also helps you to locate the entities when the values, such as the IP addresses, are hashed.
You can click any node and drag it to reposition it.
In NetWitness Platform version 11.2 and later, you can select the node types that you want to view by clearing or selecting the checkboxes in the legend. The following figure shows an example nodal graph legend with all node types selected except IP.
The arrows between the nodes provide additional information about the entity relationships. The following table describes the nodal graph arrow types.
Larger line size arrows indicate more communication between the nodes. Larger nodes (circles) indicate more activity than smaller nodes. The larger nodes are the most common entities mentioned in the events.
The Events List shows the events associated with the incident. It shows information about the events, such as event time, source IP, destination IP, detector IP, source user, target user, and file information about the events. The amount of information listed depends on the event type. The maximum number of events displayed in the Events List is 1,000.
The following figure shows an Events List for network events.
Each event has a header row with the following information:
- Risk score: This is the risk score of the indicator (alert) that contains the event.
- Title: This is the name of the event.
- Event x of x: This indicates the number of the event out of the total number of events in the indicator.
For example, the following event header shows that this event is event 2 of 2 for an indicator (alert) that has a risk score of 90. The event name is In Program Data Followed by SSL Over Non Standard Port.
The following table describes the fields in the Events List for network or log events.
The following figure shows an Events List for NetWitness Endpoint events.
The following table describes the fields in the Events List for NetWitness Endpoint events. NetWitness Endpoint events have an Endpoint Event Type and an nwendpoint Device Type. NetWitness Endpoint events from version 4.4.x and earlier can have an Event Type that shows the origin of the event.
To view the event details, you can click the top of an event in the Events List. The details appear below the event. Viewing inline event details enables you to keep the context of the event as it relates to the other events.
The following figure shows an indicator (alert) selected in the Indicators panel. The events for that indicator appear in the Events List on the right. You can see the event details below the selected event.
The following figure shows a specific indicator event selected in the Indicators panel. Information about the selected event appears in the Events List on the right. You can see the event details below the selected event in the list.
The incident Journal shows the history of activity on your incident.
The following table describes the New Journal Entry options.
In the Tasks panel, you can manage and track the incident tasks to closure.
The following table describes the Task fields.
Related Indicators Panel
The Related Indicators panel enables you to search the NetWitness Platform alerts database to find alerts that are related to this incident. You can add alerts that you find to the incident if they are not already associated with an incident.
The following table describes the fields in the search section at the top of the panel.
The following table describes the options in the Indicators for (results) section at the bottom of the panel.