Respond: Escalate or Remediate the Incident

Document created by RSA Information Design and Development Employee on Sep 14, 2017Last modified by RSA Information Design and Development Employee on Jan 30, 2020
Version 13Show Document
  • Comment0
  • View in full screen mode
 

You may want to escalate an incident, assign incidents to another Analyst, or change the status and priority of an incident as you gather more information about it. This is useful if, for example, you upgrade the priority of an incident from high to critical after determining that the incident is a major breach. You may also want to send the incident to RSA Archer Cyber Incident & Breach Response for additional analysis and action.

You can perform the following procedures to escalate or remediate an incident:

 

Send an Incident to RSA Archer

Note: This option is available in NetWitness Platform version 11.2 and later. If RSA Archer is configured as a data source in Context Hub, you can send incidents to RSA Archer and you will be able to see the Send to Archer option and Sent to Archer Status in NetWitness Respond.

When you send an incident to Archer, a Sent to Archer notification appears within the incident. When configured, the NetWitness Platform can start additional business processes in Archer Cyber Incident & Breach Response. You can view all of the incidents that were sent to Archer Cyber Incident & Breach Response using the filter in the Incident Lists view.

You send an incident to Archer by clicking the Send to Archer button in the Overview panel in the Incident Lists view or the Incident Details view.

Caution: The Send to Archer action is not reversible.

  1. Go to RESPOND > Incidents.
  2. From the Incidents List view, click the incident that you want to send to Archer Cyber Incident & Breach Response.
    The Overview panel appears on the right.
    Incidents List view showing the Overview Panel with a Send to Archer button

  3. In the Overview panel, click Send to Archer.

  4. Read the Confirm Send to Archer dialog and then click Yes to confirm sending the incident to Archer Cyber Incident & Breach Response. This action is not reversible.
    Confirm Send to Archer dialog
    You will receive a confirmation that the incident was sent to Archer along with an Archer incident ID. In the Overview panel, the Send to Archer button changes to Sent to Archer.
    Incidents List view showing that the incident was successfully sent to Archer
    In the Incident Details view (click the link in the ID or NAME field of the incident sent to Archer) you can see the Sent to Archer notification above the Overview and Indicators panels. If you open the Journal, you can see a system journal entry that shows that the incident was sent to Archer and it now has an Archer ID number.
    Incident Details view showing incident sent to Archer and journal entry

View All Incidents Sent to Archer

Note: This option is available in version 11.2 and later. If RSA Archer is configured as a data source in Context Hub, you can send incidents to RSA Archer and you will be able to see the Sent to Archer option and Sent to Archer Status in NetWitness Respond.

You can view incidents sent to Archer Cyber Incident & Breach Response using the Filter.

  1. Go to RESPOND > Incidents.
    The Incidents List is displayed.
  2. If you cannot see the Filters panel, in the Incident List view toolbar, click Filter icon.
  3. In the Filters panel, under SENT TO ARCHER, select Yes.
    The incidents list will be filtered to show incidents that were sent to Archer Cyber Incident & Breach Response.
    Incidents list view with Filter panel showing Sent to Archer status

Update an Incident

You can update an incident from several places. You can change the priority, status, or assignee from the Incident List view and the Incident Details view. For example, if you are an Analyst, you may want to assign yourself a case from the Incident List view if you see that it is related to another case you are working on. If you are an SOC Manager or an Administrator, you may want to view unassigned incidents from the Incident List view and assign the incidents as they come in. SOC Managers and Administrators can do bulk updates of the priority, status, or assignee instead of updating them one incident at a time.

From the Details view, you might want to change the status to In Progress once you begin working on an incident, and then update it to Closed or Closed - False Positive after you resolve the issue. Or you might change the priority of the incident to Medium or High as you determine the details of the case.

Change Incident Status

When an incident first appears in the incident list, it has an initial status of New. You can update the status as you complete your work on the incident. The following statuses are available:

  • New
  • Assigned
  • In Progress
  • Task Requested
  • Task Complete
  • Closed
  • Closed - False Positive

To update the status of multiple incidents:

  1. In the Incidents List view, select one or more incidents that you would like to change. To select all of the incidents on the page, select the box in the incidents list header row. The number of incidents selected appears in the incidents list footer.
  2. Click Change Status and select a status from the drop-down list. In this example, the current status is Assigned, but the Analyst would like to change it to In Progress for the selected incidents.
    Incidents List view showing the Status drop-down list
  3. If you select more than one incident, in the Confirm Update dialog, click OK.
    Confirm Update dialog
    You can see a successful change notification. In this example, the status of the updated incidents now show In Progress.
    Incident List showing a successful bulk Status update

To change the status of a single incident from the Overview panel:

  1. To open the Overview panel, do one of the following:
    • From the Incidents List view, click the row of an incident that needs a status update.
      Incidents List showing Overview panel
    • From the Incident Details view, click the OVERVIEW tab.
      Incident Details view showing Overview tab
      In the Overview panel, the Status button shows the current status of the incident.
  2. Click the Status button and select a status from the drop-down list.
    Update Overview Panel showing Status drop-down list
    You can see a successful change notification.
    Successful change notification

Change Incident Priority

The incident list is sorted by Priority by default. You can update the priority as you study the details of the case. The following priorities are available:

  • Critical
  • High
  • Medium
  • Low

Note: You cannot change the priority of a closed incident.

To update the priority of multiple incidents:

  1. In the Incidents List view, select one or more incidents that you would like to change. To select all of the incidents on the page, select the box in the incidents list header row. The number of incidents selected appears in the incidents list footer.
  2. Click Change Priority and select a priority from the drop-down list. In this example, the current priority is High, but the Analyst would like to change it to Critical for the selected incidents.
    Incidents List view showing the Priority drop-down list
  3. If you select more than one incident, in the Confirm Update dialog, click OK.
    Confirm Update dialog for priority change.
    You can see a successful change notification. In this example, the status of the updated incidents now show Critical.
    Incident List showing a successful bulk Status update

To change the priority of a single incident from the Overview panel

  1. To open the Overview panel, do one of the following:
    • From the Incidents List view, click the row of an incident that needs a priority update.
    • From the Incident Details view, click the OVERVIEW tab in the left panel.
      In the Overview panel, the Priority button shows the current priority of the incident.
  2. Click the Priority button and select a status from the drop-down list.
    Update Overview Panel showing Priority drop-down list
    You can see a successful change notification. The Priority button changes to show the new incident priority.
    Successful change notification

Assign Incidents to other Analysts

You can assign incidents to other Analysts in the same way as you assign incidents to yourself. SOC Managers and Administrators can assign multiple incidents to a user at the same time.

Note: You cannot change the assignee of a closed incident.

To assign multiple incidents to a user:

  1. In the Incidents List view, select the incidents that you would like to assign to a user. To select all of the incidents on the page, select the box in the incidents list header row. The number of incidents selected appears in the incidents list footer.
  2. Click Change Assignee and select a user from the drop-down list. In this example, the incidents are unassigned, but they should be assigned to an Analyst.
    Incidents List view showing the Assignee drop-down list
  3. If you select more than one incident, in the Confirm Update dialog, click OK.
    You can see a successful change notification. The assignee changes to the selected user.
    Incidents List showing successful assignee change

To assign a user to an incident from the Overview panel:

  1. To open the Overview panel, do one of the following:
    • From the Incidents List view, click the row of an incident that you would like to assign to a user.
    • From the Incident Details view, click the OVERVIEW tab in the left panel.
      In the Overview panel, the Assignee button shows the current assignee of the incident. In the following example, the Assignee button has a current status of Unassigned.
      Update Overview Panel changing assignee to Analyst User from Unassigned
  2. Click the Assignee button and select a user from the drop-down list.
    You can see a successful change notification. The Assignee button changes to show the assigned user.
    Successful change notification

Rename an Incident

You can rename an incident from the Overview panel in the Incidents List view and the Incident Details view. For example, you may want to rename an incident to provide clarification about the issue, especially if multiple incidents have the same name.

  1. Go to Respond > Incidents.
  2. To open the Overview panel, do one of the following:
    • From the Incidents List view, click the row of an incident that needs a name change.
      The Overview panel opens.
    • From the Incident Details view, click the OVERVIEW tab in the left panel.
      In the header above the Overview panel, you can see the incident ID and the incident name.
      Overview Panel showing header
  3. Click the incident name in the header to open a text editor.
    Incident Details View Overview panel showing an editable name field in the header
  4. Type a new name for the incident in the text editor and click the check mark to confirm the change.
    Incident Details View Overview panel showing text editor
    For example, you can change "High Risk Alerts: ESA for 90.0" to "High Risk Alerts for mail.emc.com" for more clarification.
    You can see a successful change notification.
    Successful change notification
    The incident name field shows the new name.
    Incident Details View Overview panel showing new incident name

View All Incident Tasks

When additional work is required for an incident, you can create tasks for the incident and track the progress on those tasks. This is helpful, for example, when the work being done is outside security operations or you make a request for a computer reimage. In the Tasks List view, you can manage and track the tasks to closure.

  1. Go to Respond > Tasks.
    The Tasks List view displays a list of all incident tasks.
    Tasks View
  2. Scroll through the tasks list, which shows basic information about each task as described in the following table.
                                               
Column

Description

CREATEDDisplays the date when the task was created.
PRIORITYDisplays the priority assigned to the task. The priority can be any of the following: Critical, High, Medium, or Low. The Priority is also color coded, where red indicates Critical, orange represents High risk, yellow indicates Medium risk, and green represents Low risk as shown in the following figure:
Priorities showing color coding
IDDisplays the task ID.
NAMEDisplays the task name.
ASSIGNEEDisplays the name of the user assigned to the task.
STATUSDisplays the status of the task: New, Assigned, In Progress, Remediated, Risk Accepted, and Not Applicable.
LAST UPDATEDDisplays the date and time when the task was last updated.
CREATED BYDisplays the user who created the task.
INCIDENT IDDisplays the incident ID for which the task was created. Click the ID to display the details of the incident.

At the bottom of the list, you can see the number of tasks on the current page, the total number of tasks, and the number of tasks selected. For example: Showing 6 out of 6 items | 2 selected.

Filter the Tasks List

The number of tasks in the Tasks List can be very large, making it difficult to locate particular tasks. The Filter enables you to specify those tasks that you would like to view, such as tasks created within the last 7 days. You can also search for a specific task.

  1. Go to Respond > Tasks.
    The Filters panel appears to the left of the Tasks list. If you do not see the Filters panel, in the Tasks List view toolbar, click Filter icon, which opens the Filters panel.
    Tasks List Filters panel
  2. In the Filters panel, select one or more options to filter the incidents list:
    • TIME RANGE: You can select a specific time period from the Time Range drop-down list. The time range is based on the creation date of the tasks. For example, if you select Last Hour, you can see tasks that were created within the last 60 minutes.
    • CUSTOM DATE RANGE: You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of CUSTOM DATE RANGE to view the Start Date and End Date fields. Select the dates and times from the calendar.
      Custom Date Range option in the filter
    • TASK ID: Type the Task ID for a task that you would like to locate, for example REM-123.
    • PRIORITY: Select the priorities that you would like to view.
    • STATUS: Select one or more incident statuses. For example, select Remediated to view completed remediation tasks.
    • CREATED BY: Select the user who created the tasks that you would like to view. For example, if you only want to view the tasks created by Edwardo, select Edwardo from the CREATED BY drop-down list. If you want to view tasks regardless of the person who created the task, do not make a selection under CREATED BY.

    The Tasks List shows a list of tasks that meet your selection criteria. You can see the number of items in your filtered list at the bottom of the tasks list.
    For example: Showing 6 out of 6 items

  3. If you want to close the Filters panel, click X. Your filters remain in place until you remove them.

Remove My Filters from the Tasks List

NetWitness Platform remembers your filter selections in the Tasks List view. You can remove your filter selections when you no longer need them. For example, if you are not seeing the number of tasks that you expect to see or you want to view all of the tasks in your tasks list, you can reset your filters.

  1. Go to Respond > Tasks.
    The Filters panel appears to the left of the tasks list. If you do not see the Filters panel, in the Tasks List view toolbar, click Filter icon, which opens the Filters panel.
  2. At the bottom of the Filters panel, click Reset Filters.

Create a Task

After you investigate an incident and know more about it, you can create a task, assign it to a user, and track it to closure. You create tasks from the Incident Details view.

  1. Go to Respond > Incidents.
    The Incidents List view displays a list of all of the incidents.
  2. Locate the incident that needs a task and click the link in the ID or NAME field.
    Incidents List with links in ID and NAME fields selected
  3. In the Journal panel on the right side of the Incident Details view, click the TASKS tab.
    If you do not see the Journal panel, click Journal & Tasks and then click the TASKS tab.
    Incident Details view with Journal open showing Tasks tab in red
  4. In the Tasks panel, click Add New Task.
    Tasks panel with no tasks
    You can see the new task fields.
    Tasks panel new task fields
    If the incident is in a closed state (Closed or Closed - False Positive), the Add New Task button is disabled.
  5. Provide the following information:
    • Name - Name of the task. For example: Re-image the machine.
    • Description - (Optional) Type information that describes the task. You may want to include any applicable reference numbers.
    • Assignee - (Optional) Type the username of the user to whom the task is to be assigned.
    • Priority - Click the priority button and select a priority for the tasks from the drop-down list: Low, Medium, High, or Critical.
  6. Click Save.
    You can see a confirmation that your change was successful. The incident status changes to Task Requested. (You may need to refresh the Incident Details view to see the changes.) The task appears in the Tasks panel for this incident.
    Incident Details view showing new task in the Tasks panel with a status of Task Requested
    In the Incidents List view, the incident status also changes to Task Requested.
    Incidents List showing new task
    The task also appears in the Tasks list (Respond > Tasks), which shows a list of all incident tasks.

Note: If you do not see the status change, you may need to refresh your internet browser.

Find a Task

If you know the Task ID, you can quickly locate a task using the Filter. For example, you may want to locate a specific task out of thousands of tasks.

  1. Go to Respond > Tasks.
    The Filters panel appears to the left of the Tasks list. If you do not see the Filters panel, in the Tasks List view toolbar, click Filter icon, which opens the Filters panel.
    Tasks List Filters panel showing example search for a task in the TASK ID field
  2. In the TASK ID field, type the Task ID for a task that you would like to locate, for example REM-1234.

    The specified task appears in your task list. If you do not see any results, try resetting your filters.

Modify a Task

You can modify a task from within an incident and from the Tasks list. For example, you may want to show the status of the task as In Progress and add some additional information to the task. If the task is in a closed state (Not Applicable, Risk Accepted, or Remediated), you cannot modify the Priority or Assignee.

To modify a Task from within an incident:

  1. Go to Respond > Incidents.
    The Incidents List view displays a list of all incidents.

  2. Locate the incident that needs a task update and click the link in the ID or NAME field.

  3. In the Journal panel on the right side of the Incident Details view, click the TASKS tab.
    If you do not see the Journal panel, click Journal & Tasks and then click the TASKS tab.
    In the Tasks panel, a pencil icon indicates a text field that you can change. A button indicates that there is a drop-down list to make a selection.
    Task panel
  4. You can modify any of the following fields:
    • NAME - Click the current task name to open a text editor.
      Task Name edit text box
      Click the check mark to confirm the change. For example, you can change "Re-image the machine" to "Re-image the machine ASAP."
    • ASSIGNEE - Click (Unassigned) or the name of the previous assignee to open a text editor. Type the username of the user to whom the task is to be assigned.
      Click the check mark to confirm the change.
    • PRIORITY - Click the Priority button and select a priority for the task from the drop-down list: Low, Medium, High, or Critical.
    • STATUS - Click the Status button and select a status for the task from the drop-down list: New, Assigned, In Progress, Remediated, Risk Accepted, and Not Applicable. For example, you can change the status to In Progress.
      Status field drop-down list with In Progress selected
    • DESCRIPTION - Click the text underneath the description to open a text editor.
      Task Description field text editor
      Modify the text and click the check mark to confirm the change.

For each change that you make, you can see a confirmation that your change was successful.

To modify a Task from the Tasks list:

  1. Go to Respond > Tasks.
    The Tasks List view displays a list of all incident tasks.
  2. In the Tasks list, click the task that you want to update.
    The Task Overview panel appears to the right of the tasks list.
    Tasks List view showing the Overview panel
    In the Task Overview panel, a pencil icon indicates a text field that you can change. A button indicates that there is a drop-down list to make a selection.
    Task Overview panel
  3. You can modify any of the following fields:
    • <Task Name> - At the top of the Task Overview panel, below the Task ID, click the current task name to open a text editor.
      Task Name edit text box
      Click the check mark to confirm the change. For example, you can change Isolate Host to Isolate Host Machine.
    • Priority - Click the Priority button and select a priority for the task from the drop-down list: Low, Medium, High, or Critical.
    • Status - Click the Status button and select a status for the task from the drop-down list: New, Assigned, In Progress, Remediated, Risk Accepted, and Not Applicable.
    • Assignee - Click (Unassigned) or the name of the previous assignee to open a text editor. Type the username of the user to whom the task is to be assigned.
      Assignee Edit text box
      Click the check mark to confirm the change.
    • Description - Click the text underneath the description to open a text editor.
      Task Description field text editor
      Modify the text and click the check mark to confirm the change.

For each change that you make, you can see a confirmation that your change was successful.

Delete a Task

You can delete a task, if, for example, you created it in error or you find that it is not needed. You can delete a task from within an incident and also from the Tasks List view. In the Tasks List view, you can delete multiple tasks at the same time.

To Delete a Task from within an incident:

  1. Go to Respond > Incidents.
    The Incidents List view displays a list of all incidents.

  2. Locate the incident that needs a task update and click the link in the ID or NAME field.

  3. In the Journal panel on the right side of the Incident Details view, click the TASKS tab.
    If you do not see the Journal panel, click Journal & Tasks and then click the TASKS tab.
    In the Tasks panel, you can see the tasks created for the incident.
    Tasks panel showing two tasks
  4. Click Delete icon (trash can) to the right of the task that you want to delete.
    Task showing location of delete icon
  5. Confirm that you want to delete the task and click OK.
    Confirm Delete dialog
    The task is deleted from NetWitness Platform. Deleting tasks from NetWitness Platform does not delete them from other systems.

To Delete Tasks from the Tasks List:

  1. Go to  Respond > Tasks.
    The Tasks List view displays a list of all incident tasks.
  2. In the Tasks list, select the tasks that you want to delete and click Delete.
    Tasks list with tasks selected for delete
  3. Confirm that you want to delete the tasks and click OK.
    Confirm Delete dialog
    The tasks are deleted from NetWitness Platform. Deleting tasks from NetWitness Platform does not delete them from other systems.

Close an Incident

When you have arrived at a solution after investigating an incident and remediating it, you close the incident.

  1. Go to Respond > Incidents.
  2. In the Incident List view, select the incident that you want to close and click Change Status.
  3. Select Closed from the drop-down list.
    You can see a successful change notification. The incident is now closed. You cannot change the priority or assignee of a closed incident.

Note: You can also close an incident in the Overview panel. You can close multiple incidents at the same time in the Incident List view. Change Incident Status provides additional details.

You are here
Table of Contents > Escalate or Remediate the Incident

Attachments

    Outcomes

      Visibility: RSA NetWitness Platform Online Documentation787 Views
      Last modified on Jan 30, 2020 6:22 PM
      Ratings: