You may want to escalate an incident, assign incidents to another Analyst, or change the status and priority of an incident as you gather more information about it. This is useful if, for example, you upgrade the priority of an incident from high to critical after determining that the incident is a major breach. You may also want to send the incident to RSA Archer® Cyber Incident & Breach Response for additional analysis and action.
Send an Incident to RSA Archer
Note: This option is available in version 11.2 and later. If RSA Archer is configured as a data source in Context Hub, you can send incidents to RSA Archer and you will be able to see the Send to Archer option and Sent to Archer Status in NetWitness Respond.
When you send an incident to Archer, a Sent to Archer notification appears within the incident. When configured, the NetWitness Platform can start additional business processes in Archer Cyber Incident & Breach Response. You can view all of the incidents that were sent to Archer Cyber Incident & Breach Response using the filter in the Incident Lists view.
You send an incident to Archer by clicking the Send to Archer button in the Overview panel in the Incident Lists view or the Incident Details view.
Caution: The Send to Archer action is not reversible.
- Go to RESPOND > Incidents.
- From the Incidents List view, click the incident that you want to send to Archer Cyber Incident & Breach Response.
The Overview panel appears on the right. -
In the Overview panel, click Send to Archer.
-
Read the Confirm Send to Archer dialog and then click Yes to confirm sending the incident to Archer Cyber Incident & Breach Response. This action is not reversible.
You will receive a confirmation that the incident was sent to Archer along with an Archer incident ID. In the Overview panel, the Send to Archer button changes to Sent to Archer.
In the Incident Details view (click the link in the ID or NAME field of the incident sent to Archer) you can see the Sent to Archer notification above the Overview and Indicators panels. If you also click theicon to open the Journal, you can see a system journal entry that shows that the incident was sent to Archer and it now has an Archer ID number.
View All Incidents Sent to Archer
Note: This option is available in version 11.2 and later. If RSA Archer is configured as a data source in Context Hub, you can send incidents to RSA Archer and you will be able to see the Sent to Archer option and Sent to Archer Status in NetWitness Respond.
You can view incidents sent to Archer Cyber Incident & Breach Response using the Filter.
- Go to RESPOND > Incidents.
The Incidents List is displayed. - If you cannot see the Filters panel, in the Incident List view toolbar, click
.
- In the Filters panel, under SENT TO ARCHER, select Yes.
The incidents list will be filtered to show incidents that were sent to Archer Cyber Incident & Breach Response.
Update an Incident
You can update an incident from several places. You can change the priority, status, or assignee from the Incident List view and the Incident Details view. For example, if you are an Analyst, you may want to assign yourself a case from the Incident List view if you see that it is related to another case you are working on. If you are an SOC Manager or an Administrator, you may want to view unassigned incidents from the Incident List view and assign the incidents as they come in. SOC Managers and Administrators can do bulk updates of the priority, status, or assignee instead of updating them one incident at a time.
From the Details view, you might want to change the status to In Progress once you begin working on an incident, and then update it to Closed or Closed - False Positive after you resolve the issue. Or you might change the priority of the incident to Medium or High as you determine the details of the case.
Change Incident Status
When an incident first appears in the incident list, it has an initial status of New. You can update the status as you complete your work on the incident. The following statuses are available:
- New
- Assigned
- In Progress
- Task Requested
- Task Complete
- Closed
- Closed - False Positive
To update the status of multiple incidents:
- In the Incidents List view, select one or more incidents that you would like to change. To select all of the incidents on the page, select the box in the incidents list header row. The number of incidents selected appears in the incidents list footer.
- Click Change Status and select a status from the drop-down list. In this example, the current status is Assigned, but the Analyst would like to change it to In Progress for the selected incidents.
- If you select more than one incident, in the Confirm Update dialog, click OK.
You can see a successful change notification. In this example, the status of the updated incidents now show In Progress.
To change the status of a single incident from the Overview panel:
- To open the Overview panel, do one of the following:
- From the Incidents List view, click an incident that needs a status update.
- From the Incident Details view, click the OVERVIEW tab.
In the Overview panel, the Status button shows the current status of the incident. - Click the Status button and select a status from the drop-down list.
You can see a successful change notification.
Change Incident Priority
The incident list is sorted by Priority by default. You can update the priority as you study the details of the case. The following priorities are available:
- Critical
- High
- Medium
- Low
Note: You cannot change the priority of a closed incident.
To update the priority of multiple incidents:
- In the Incidents List view, select one or more incidents that you would like to change. To select all of the incidents on the page, select the box in the incidents list header row. The number of incidents selected appears in the incidents list footer.
- Click Change Priority and select a priority from the drop-down list. In this example, the current priority is High, but the Analyst would like to change it to Critical for the selected incidents.
- If you select more than one incident, in the Confirm Update dialog, click OK.
You can see a successful change notification. In this example, the status of the updated incidents now show Critical.
To change the priority of a single incident from the Overview panel
- To open the Overview panel, do one of the following:
- From the Incidents List view, click an incident that needs a priority update.
- From the Incident Details view, click the OVERVIEW tab.
In the Overview panel, the Priority button shows the current priority of the incident. - Click the Priority button and select a status from the drop-down list.
You can see a successful change notification. The Priority button changes to show the new incident priority.
Assign incidents to other Analysts
You can assign incidents to other Analysts in the same way as you assign incidents to yourself. SOC Managers and Administrators can assign multiple incidents to a user at the same time.
Note: You cannot change the assignee of a closed incident.
To assign multiple incidents to a user:
- In the Incidents List view, select the incidents that you would like to assign to a user. To select all of the incidents on the page, select the box in the incidents list header row. The number of incidents selected appears in the incidents list footer.
- Click Change Assignee and select a user from the drop-down list. In this example, the incidents are unassigned, but they should be assigned to an Analyst.
- If you select more than one incident, in the Confirm Update dialog, click OK.
You can see a successful change notification. The assignee changes to the selected user.
To assign a user to an incident from the Overview panel:
- To open the Overview panel, do one of the following:
- From the Incidents List view, click an incident that you would like to assign to a user.
- From the Incident Details view, click the OVERVIEW tab.
In the Overview panel, the Assignee button shows the current assignee of the incident. In the following example, the Assignee button has a current status of Unassigned. - Click the Assignee button and select a user from the drop-down list.
You can see a successful change notification. The Assignee button changes to show the assigned user.
Rename an Incident
You can rename an incident from the Overview panel in the Incidents List view and the Incident Details view. For example, you may want to rename an incident to provide clarification about the issue, especially if multiple incidents have the same name.
- Go to RESPOND > Incidents.
- To open the Overview panel, do one of the following:
- From the Incidents List view, click an incident that needs a name change.
The Overview panel opens. - From the Incident Details view, go to the OVERVIEW panel.
In the header above the Overview panel, you can see the incident ID and the incident name. - Click the incident name in the header to open a text editor.
- Type a new name for the incident in the text editor and click the check mark to confirm the change.
For example, you can change "High Risk Alerts: ESA for 90.0" to "Alerts for mail.emc.com" for more clarification.
You can see a successful change notification.
The incident name field shows the new name.
View All Incident Tasks
When additional work is required for an incident, you can create tasks for the incident and track the progress on those tasks. This is helpful, for example, when the work being done is outside security operations or you make a request for a computer reimage. In the Tasks List view, you can manage and track the tasks to closure.
- Go to RESPOND > Tasks.
The Tasks List view displays a list of all incident tasks. - Scroll through the tasks list, which shows basic information about each task as described in the following table.
At the bottom of the list, you can see the number of tasks on the current page, the total number of tasks, and the number of tasks selected. For example: Showing 6 out of 6 items | 2 selected.
Filter the Tasks List
The number of tasks in the Tasks List can be very large, making it difficult to locate particular tasks. The Filter enables you to specify those tasks that you would like to view, such as tasks created within the last 7 days. You can also search for a specific task.
- Go to RESPOND > Tasks.
The Filters panel appears to the left of the Tasks list. If you do not see the Filters panel, in the Tasks List view toolbar, click, which opens the Filters panel.
- In the Filters panel, select one or more options to filter the incidents list:
- TIME RANGE: You can select a specific time period from the Time Range drop-down list. The time range is based on the creation date of the tasks. For example, if you select Last Hour, you can see tasks that were created within the last 60 minutes.
- CUSTOM DATE RANGE: You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of CUSTOM DATE RANGE to view the Start Date and End Date fields. Select the dates and times from the calendar.
- TASK ID: Type the Task ID for a task that you would like to locate, for example REM-123.
- PRIORITY: Select the priorities that you would like to view.
- STATUS: Select one or more incident statuses. For example, select Remediated to view completed remediation tasks.
- CREATED BY: Select the user who created the tasks that you would like to view. For example, if you only want to view the tasks created by Edwardo, select Edwardo from the CREATED BY drop-down list. If you want to view tasks regardless of the person who created the task, do not make a selection under CREATED BY.
The Tasks List shows a list of tasks that meet your selection criteria. You can see the number of items in your filtered list at the bottom of the tasks list.
For example: Showing 6 out of 6 items - If you want to close the Filters panel, click X. Your filters remain in place until you remove them.
Remove My Filters from the Tasks List
NetWitness Platform remembers your filter selections in the Tasks List view. You can remove your filter selections when you no longer need them. For example, if you are not seeing the number of tasks that you expect to see or you want to view all of the tasks in your tasks list, you can reset your filters.
- Go to RESPOND > Tasks.
The Filters panel appears to the left of the tasks list. If you do not see the Filters panel, in the Tasks List view toolbar, click, which opens the Filters panel.
- At the bottom of the Filters panel, click Reset Filters.
Create a Task
After you investigate an incident and know more about it, you can create a task, assign it to a user, and track it to closure. You create tasks from the Incident Details view.
- Go to RESPOND > Incidents.
The Incidents List view displays a list of all incidents. - Locate the incident that needs a task and click the link in the ID or NAME field.
The Incident Details view opens. - In the toolbar at the top right of the Incident Details view, select
.
The Journal panel opens. - Click the TASKS tab.
- In the Tasks panel, click Add New Task.
You can see the new task fields.
If the incident is in a closed state (Closed or Closed - False Positive), the Add New Task button is disabled. - Provide the following information:
- Name - Name of the task. For example: Re-image the machine.
- Description - (Optional) Type information that describes the task. You may want to include any applicable reference numbers.
- Assignee - (Optional) Type the username of the user to whom the task is to be assigned.
- Priority - Click the priority button and select a priority for the tasks from the drop-down list: Low, Medium, High, or Critical.
- Click Save.
You can see a confirmation that your change was successful. The incident status changes to Task Requested. The task appears in the Tasks panel for this incident.
In the Incidents List view, the incident status also changes to Task Requested.
The task also appears in the Tasks list (RESPOND > Tasks), which shows a list of all incident tasks.
Note: If you do not see the status change, you may need to refresh your internet browser.
Find a Task
If you know the Task ID, you can quickly locate a task using the Filter. For example, you may want to locate a specific task out of thousands of tasks.
- Go to RESPOND > Tasks.
The Filters panel appears to the left of the Tasks list. If you do not see the Filters panel, in the Tasks List view toolbar, click, which opens the Filters panel.
- In the TASK ID field, type the Task ID for a task that you would like to locate, for example REM-1234.
The specified task appears in your task list. If you do not see any results, try resetting your filters.
Modify a Task
You can modify a task from within an incident and from the Tasks list. For example, you may want to show the status of the task as In Progress and add some additional information to the task. If the task is in a closed state (Not Applicable, Risk Accepted, or Remediated), you cannot modify the Priority or Assignee.
To modify a Task from within an incident:
-
Go to RESPOND > Incidents.
The Incidents List view displays a list of all incidents. -
Locate the incident that needs a task update and click the link in the ID or NAME field.
The Incident Details view opens. - In the toolbar at the top right of the view, select
.
The Journal panel opens. - Click the TASKS tab.
- In the Tasks panel, a pencil icon indicates a text field that you can change. A button indicates that there is a drop-down list to make a selection.
- You can modify any of the following fields:
- NAME - Click the current task name to open a text editor.
Click the check mark to confirm the change. For example, you can change "Re-image the machine" to "Re-image the machine ASAP." - ASSIGNEE - Click (Unassigned) or the name of the previous assignee to open a text editor. Type the username of the user to whom the task is to be assigned.
Click the check mark to confirm the change. - PRIORITY - Click the Priority button and select a priority for the task from the drop-down list: Low, Medium, High, or Critical.
- STATUS - Click the Status button and select a status for the task from the drop-down list: New, Assigned, In Progress, Remediated, Risk Accepted, and Not Applicable. For example, you can change the status to In Progress.
- DESCRIPTION - Click the text underneath the description to open a text editor.
Modify the text and click the check mark to confirm the change.
- NAME - Click the current task name to open a text editor.
For each change that you make, you can see a confirmation that your change was successful.
To modify a Task from the Tasks list:
- Go to RESPOND > Tasks.
The Tasks List view displays a list of all incident tasks. - In the Tasks list, click the task that you want to update.
The Task Overview panel appears to the right of the tasks list.
In the Task Overview panel, a pencil icon indicates a text field that you can change. A button indicates that there is a drop-down list to make a selection. - You can modify any of the following fields:
- <Task Name> - At the top of the Task Overview panel, below the Task ID, click the current task name to open a text editor.
Click the check mark to confirm the change. For example, you can change Isolate Host to Isolate Host Machine. - Priority - Click the Priority button and select a priority for the task from the drop-down list: Low, Medium, High, or Critical.
- Status - Click the Status button and select a status for the task from the drop-down list: New, Assigned, In Progress, Remediated, Risk Accepted, and Not Applicable.
- Assignee - Click (Unassigned) or the name of the previous assignee to open a text editor. Type the username of the user to whom the task is to be assigned.
Click the check mark to confirm the change. - Description - Click the text underneath the description to open a text editor.
Modify the text and click the check mark to confirm the change.
- <Task Name> - At the top of the Task Overview panel, below the Task ID, click the current task name to open a text editor.
For each change that you make, you can see a confirmation that your change was successful.
Delete a Task
You can delete a task, if, for example, you created it in error or you find that it is not needed. You can delete a task from within an incident and also from the Tasks List view. In the Tasks List view, you can delete multiple tasks at the same time.
To Delete a Task from within an incident:
-
Go to RESPOND > Incidents.
The Incidents List view displays a list of all incidents. -
Locate the incident that needs a task update and click the link in the ID or NAME field.
The Incident Details view opens. - In the toolbar at the top right of the view, select
.
The Journal panel opens. - Click the TASKS tab.
- In the Tasks panel, you can see the tasks created for the incident.
- Click
to the right of the task that you want to delete.
- Confirm that you want to delete the task and click OK.
The task is deleted from NetWitness Platform. Deleting tasks from NetWitness Platform does not delete them from other systems.
To Delete Tasks from the Tasks List:
- Go to RESPOND > Tasks.
The Tasks List view displays a list of all incident tasks. - In the Tasks list, select the tasks that you want to delete and click Delete.
- Confirm that you want to delete the tasks and click OK.
The tasks are deleted from NetWitness Platform. Deleting tasks from NetWitness Platform does not delete them from other systems.
Close an Incident
When you have arrived at a solution after investigating an incident and remediating it, you close the incident.
- Go to RESPOND > Incidents.
- In the Incident List view, select the incident that you want to close and click Change Status.
- Select Closed from the drop-down list.
You can see a successful change notification. The incident is now closed. You cannot change the priority or assignee of a closed incident.
Note: You can also close an incident in the Overview panel. You can close multiple incidents at the same time in the Incident List view. Change Incident Status provides additional details.