Respond: Alerts List View

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 15, 2017
Version 6Show Document
  • View in full screen mode
  

The Alerts List view (RESPOND > Alerts) enables you to view all of the threat alerts and indicators received by NetWitness Suite in one location. This can include alerts received from ESA Correlation Rules, ESA Analytics, Malware Analysis, Reporting Engine, NetWitness Endpoint, as well as many others. In the Alerts List view you can browse through various alerts, filter them, and group them to create incidents.

Workflow

This workflow shows the high-level process that Analysts use to review alerts and create incidents.

Incident List view workflow diagram for help page

In the Alerts List view, you can review a list of alerts from all sources received by NetWitness Suite. After that, you can investigate those alerts further and create incidents from the alerts or you can create aggregation rules to create incidents.

Note: You can use NetWitness Suite Automated Threat Detection to create incidents without manually creating rules.

What do you want to do?

                                                     
RoleI want to ...Show me how
Incident Responders,
Analysts
View all alerts in NetWitness Suite.*View Alerts
Incident Responders,
Analysts
Filter alerts.*Filter the Alerts List

Incident Responders,
Analysts

View alert overview information and raw alert metadata.*

View Alert Summary Information

Incident Responders,
Analysts
Create incidents from alerts.*Create an Incident Manually

Administrators,
Data Privacy Officers

Delete alerts.*

Delete Alerts

SOC Managers,
Administrators
Create aggregation Rules.

See "Create an Aggregation Rule for Alerts" in the NetWitness Respond Configuration Guide.

Incident Responders, Analysts Investigate the events in an alert.

View Event Details for an Alert and Investigate Events

Incident Responders,
Analysts

Add alerts to an existing incident.

Add Related Indicators to the Incident

*You can complete these tasks here (that is in the Alerts List view).

Related Topics

Alerts List View

To access the Alerts List view, go to RESPOND > Alerts. The Alerts List view displays a list of all alerts and indicators received by the Respond Server database in NetWitness Suite. The following figure shows the Filters panel on the left.

Alerts List view

The Alerts List view consists of a Filters panel, an Alerts List, and an Alert Overview panel. You can click an alert in the Alerts list to view the Alert Overview panel on the right.

Alerts List view showing the Alert Overview panel

Alerts List

The Alerts List shows all of the alerts in NetWitness Suite. You can filter this list to only show alerts of interest.

Alerts List

                                           
Column

Description

Checkbox icon Enables you to select one or more alerts to delete. Users with the appropriate permissions, such as Administrators and Data Privacy Officers, can delete alerts.
CREATEDDisplays the date and time when the alert was recorded in the source system.
SEVERITY Displays the level of severity of the alert. The values are from 1 through 100. 
NAMEDisplays a basic description of the alert.
SOURCE Displays the original source of the alert. The source of the alerts can be NetWitness Endpoint, Malware Analysis, ESA correlation rules, ESA Analytics, Reporting Engine, and many others.
# EVENTSIndicates the number of events contained within an alert. This varies depending on the source of the alert. For example, NetWitness Endpoint and Malware Analysis alerts always have one Event. For certain types of alerts, a high number of events may mean that the alert is more risky.
HOST SUMMARYDisplays details of the host like the host name from where the alert was triggered. The details may include information about the source and destination hosts in an Alert. Some alerts may describe events across more than one host .
INCIDENT IDShows the Incident ID of the alert. If there is no incident ID, the alert does not belong to any incident and you can create an incident to include this alert or the alert can be added to an existing incident.

At the bottom of the list, you can see the number of alerts on the current page, the total number of alerts, and the number of alerts selected. For example: Showing 377 out of 377 items | 3 selected

Filters Panel

The following figure shows the filters available in the Filters panel.

Alerts List Filter panel

The Filters panel, on the left of the Alerts List view, has options that you can use to filter the alerts list. When you navigate away from the Filters panel, the Alerts List view retains your filter selections.

                                                   
OptionDescription
TIME RANGE You can select a specific time period from the Time Range drop-down list. The time range is based on the received date of the alerts. For example, if you select Last Hour, you will see alerts that were received within the last 60 minutes.
CUSTOM DATE RANGE You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of Custom Date Range to view the Start Date and End Date fields. Select the dates and times from the calendar.
Custom Date Range
TYPEIndicates the type of events in the alert, for example, logs, network sessions, and so on.

SOURCE

Displays the original source of the alert. The source of the alerts can be NetWitness Endpoint, Malware Analysis, Event Stream Analysis (ESA Correlation Rules), ESA Analytics, Reporting Engine, Web Threat Detection, and many others.

SEVERITYDisplays the level of severity of the alert. The values are from 1 through 100. 

PART OF INCIDENT

Categorizes alerts on whether or not they are associated with an incident. Select Yes to view alerts that are part of an incident. Select No to view alerts that are not part of an incident. For example, before you create incidents from alerts, you may want to select No to view only those alerts that are not already part of an incident.

ALERT NAMES

Shows the name of the alert. You can use this filter to search for all alerts generated by a specific rule or source, for example, Malicious IP - Reporting Engine.

Reset FiltersRemoves your filter selections.

The Alerts List shows a list of alerts that meet your selection criteria. You can see the number of items in your filtered list at the bottom of the alerts list. For example: Showing 30 out of 30 items

Overview Panel

The Overview panel shows basic summary information about a selected alert and raw alert metadata. The Overview panel in the Alert Details view contains the same information, but in the Alerts Details view, you can expand the panel to view more information.

Alert Overview panel

The following table lists the fields displayed in the Alert Overview panel.

                                           

Field

Description

<Alert Name> Displays the name of the alert.
Incident IDDisplays the Incident ID associated with the alert. You can click the incident ID link to go to the Incident Details view of the associated incident. If there is no incident ID, the alert does not belong to an incident. You can create an incident for this alert or you can add it to an incident.
CreatedDisplays the date and time when the alert was created.
SeverityDisplays the level of severity of the alert. The values are from 1 through 100. 
SourceDisplays the original source of the alert. The source of the alerts can be NetWitness Endpoint, Malware Analysis, ESA correlation rules, ESA Analytics, Reporting Engine, and many others.
TypeIndicates the type of events in the alert, for example, logs, network sessions, and so on.
# EventsIndicates the number of events contained within an alert. This varies depending on the source of the alert. For example, NetWitness Endpoint and Malware Analysis alerts always have one Event. For certain types of alerts, a high number of events may mean that the alert is more risky.
Raw AlertShows the raw alert metadata.

Toolbar Actions

This table lists the toolbar actions available in the Alerts List view.

                             
OptionDescription
Filter icon

Enables you to open the Filters panel so that you can specify the alerts that you would like to see in the Alerts List.

Close (X) icon

Closes the panel.

Create Incident button

Enables you to create incidents from alerts. The alerts cannot be part of an incident. To get a list of alerts without incidents, you can filter the Alerts List, In the PART OF INCIDENT section, select No.

Delete buttonAllows you to delete alerts.
Previous Topic:Incidents Details View
You are here
Table of Contents > NetWitness Respond Reference Information > Alerts List View

Attachments

    Outcomes