Respond: Incidents List View

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 15, 2017
Version 7Show Document
  • View in full screen mode
  

The Incidents List view (RESPOND > Incidents) shows Incident Responders and other Analysts a prioritized results list of incidents created from various sources. For example, your results list could show incidents created from ESA rules, NetWitness Endpoint, or ESA Analytics modules for Automated Threat Detection, such as C2 for packets or logs. From the Incidents List view, you have easy access to the information that you need to quickly triage and manage incidents through completion.

Workflow

This workflow shows the high-level process that Incident Responders use to respond to incidents in NetWitness Suite.

Incidents List view workflow diagram

In the Incidents List view, you can review the list of prioritized incidents, which shows basic information about each incident. You can also change the assignee, priority, and status of the incidents. Because the results can be large in the incidents list, you have the option to filter those incidents by time range, incident ID, custom date range, priority, status, assignee, and categories.

What do you want to do?

                                                          
Role I want to ...Show me how

Incident Responders, Analysts, and SOC Manager

View prioritized incidents*

Review Prioritized Incident List

Incident Responders, Analysts, and SOC Manager

Filter and sort the incident list*Filter the Incident List
Incident Responders, AnalystsView my incidents*View My Incidents
Incident Responders, AnalystsAssign incidents to myself*Assign Incidents to Myself

Incident Responders, Analysts, and SOC Manager

Find Incidents*Find an Incident

Incident Responders, Analysts, and SOC Manager

Update an incident.*

Escalate or Remediate the Incident

Incident Responders, AnalystsView incident details.

Determine which Incidents Require Action

Incident Responders, AnalystsFurther Investigate an incident.Investigate the Incident
Incident Responders, Analysts, and SOC ManagerCreate a task.Escalate or Remediate the Incident

*You can complete these tasks here (that is in the Incidents List view).

Related Topics

Quick Look

The following example shows the initial Incidents List view with the Filter panel. You can open the Overview panel for an incident by clicking an incident in the Incident List.

Incidents List view diagram showing Filter Panel and access to Overview Panel

                 
1Filters Panel
2Incidents List
3Overview Panel

You can go directly to the Incident Details view from the Incidents List by clicking the hyperlinked ID or NAME. The Overview panel is also available in the Incident Details view. For more information about the Incidents Details view, see Incident Details View.

Incidents List View

To access the Incidents List view, go to RESPOND > Incidents. The Incidents List view displays a list of all incidents. The Incidents List view consists of a Filters panel, an Incidents List, and an Incidents Overview panel.

The following figure shows the Filter Panel on the left and the Incidents List on the right.

Incident Lists View

The following figure shows the Incidents List on the left and the Incidents Overview panel on the right.

Incidents List view showing Overview panel

Incidents List

The Incidents List shows a list of all of the prioritized incidents. You can filter this list to show only incidents of interest.

                                            
ColumnDescription
CREATEDShows the creation date of the incident.
PRIORITY Shows the incident priority. Priority can be Critical, High, Medium or Low.

The Priority is color coded, where red indicates a Critical incident, orange represents a High risk incident, yellow indicates a Medium risk incident, and green represents a Low risk incident. For example:

Shows Priority Levels

RISK SCORE

Shows the incident risk score. The risk score indicates the risk of the incident as calculated via an algorithm and is between 0-100. 100 is the highest risk score.

IDShows the automatically created incident number. Each incident is assigned a unique number that you can use to track the incident.
NAMEShows the incident name. The incident name is derived from the rule used to trigger the incident. Click the link to go to the Incident Details view for the selected incident.
STATUS

Shows the incident status. The status can be: New, Assigned, In Progress, Task Requested, Task Complete, Closed, and Closed-False Positive.

ASSIGNEEShows the team member currently assigned to the incident.
ALERTSShows the number of alerts associated with the incident. An incident may include many alerts. A large number of alerts might mean that you are experiencing a large-scale attack.

At the bottom of the list, you can see the number of incidents on the current page, the total number of incidents, and the number of incidents selected. For example: Showing 1000 out of 2517 items | 2 selected. The maximum number of incidents that you can view at one time is 1,000.

Filters Panel

The following figure shows the filters available in the Filters panel.

Incidents List Filter panel

The Filters panel, on the left of the Incidents List view, has options that you can use to filter the incidents list. When you navigate away from the Filters panel, the Incidents List view retains your filter selections.

                                                   
OptionDescription
TIME RANGE You can select a specific time period from the Time Range drop-down list. The time range is based on the received date of the alerts. For example, if you select Last Hour, you will see alerts that were received within the last 60 minutes.
CUSTOM DATE RANGE You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of Custom Date Range to view the Start Date and End Date fields. Select the dates and times from the calendar.
Custom Date Range
INCIDENT IDYou can type the Incident ID for an incident you would like to locate, for example INC-1050.

PRIORITY

Select the priorities that you would like to view.

STATUS

Select one or more incident statuses. For example, select Closed - False Positive to view only false positive incidents, which were initially identified as suspicious, but then they were later found to be safe.

ASSIGNEE

Select the assignee or assignees of the incidents that you would like to view. For example, if you only want to view the incidents assigned to Cale or Stanley, select Cale and Stanley from the Assignee drop-down list. If you want to view incidents regardless of the assignee, do not make a selection under Assignee.

CATEGORIESSelect one or more categories from the drop-down list. For example, if you only want to view incidents classified with the Backdoor or Privilege abuse categories, select Backdoor and Privilege abuse.
Reset FiltersRemoves your filter selections.

Overview Panel

The Overview panel shows basic summary information about a selected incident. From the Incidents List, you can click an incident to access the Overview panel.The Overview panel in the Incident Details view contains the same information.

Incident Overview panel

The following table lists the fields displayed in the Incident Overview panel.

                                                       

Field

Description

<Incident ID> Displays the Incident ID.
<Incident Name>Displays the name of the incident. You can click the incident name to change it. For example, rules can create many incidents with the same name. You can change the incident names to be more specific.

Created

Shows the creation date and time of the incident.

Rule / ByShows the name of the rule that created the incident or the name of the person who created the incident.
RiskScoreIndicates the risk of the incident as calculated via an algorithm and is between 0-100. 100 is the highest risk score.
PriorityShows the incident priority. Priority can be Critical, High, Medium or Low. To change the priority, you can click the Priority button and select a new priority from the drop-down list.
StatusShows the incident status. The status can be New, Assigned, In Progress, Task Requested, Task Complete, Closed, and Closed - False Positive. To change the status, you can click the Status button and select a new status from the drop-down list.
AssigneeShows the team member currently assigned to the incident. To change the assignee you can click the Assignee button and select a new assignee from the drop-down list.
SourcesDisplays the data sources used to locate the suspicious activity.

Categories

Displays the categories of the incident events.

CatalystsDisplays the count of indicators that gave rise to the incident.

Toolbar Actions

This table lists the toolbar actions available in the Incidents List view.

                                    
OptionDescription
Filter icon

Enables you to open the Filters panel so that you can specify the alerts that you would like to see in the Alerts List.

Close (X) icon

Closes the panel.

Change Priority buttonAllows you to change the Priority of one or more selected incidents in the Incidents List.
Change Status buttonAllows you to change the Status of one or more selected incidents.
Change Assignee buttonAllows you to change the Assignee of one or more selected incidents.
Delete buttonAllows you to delete the selected incidents if you have the appropriate permissions, such as an Administrator or Data Privacy Officer.
You are here
Table of Contents > NetWitness Respond Reference Information > Incidents List View

Attachments

    Outcomes