Respond: Investigate the Incident

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 15, 2017
Version 6Show Document
  • View in full screen mode
  

To further investigate an incident within the Incident Details view, you can find links that take you to additional contextual information about the incident when it is available. This additional context can help you understand additional technical context and business context about a specific entity in the incident. It can also provide additional information that you may want to research to ensure that you understand the full scope of the incident.

View Contextual Information

In the Indicators panel, Events List panel, Event Details panel, or the Nodal Graph, you can see underlined entities. If an entity is underlined, NetWitness Suite is populating information about that entity type in the Context Hub. There may be additional information available about that entity in the Context Hub.

The following figure shows underlined entities in the Indicators panel and the Nodal Graph.

Indicators panel and Nodal Graph showing underlined entities

The following figure shows underlined entities in the Event Details panel.

Event Details panel showing underlined entities

The Context Hub is preconfigured with meta fields mapped to the entities. NetWitness Respond and Investigatie use these default mappings for context lookup. For information about adding meta keys, see "Configure Settings for a Data Source" in the Context Hub Configuration Guide.

Caution: For the Context Lookup to work correctly in the Respond and Investigate views, RSA recommends that when mapping meta keys in the ADMIN > SYSTEM > Investigations > Context Lookup tab, you add only meta keys to the Meta Key Mappings, not fields in the MongoDB. For example, ip.address is a meta key and ip_address is not a meta key (it is a field in the MongoDB).

To view contextual information:

  1. In the Indicators panel, Events List, Event Details, or the Nodal Graph, hover over an underlined entity.
    A context tooltip appears with a quick summary of the type of context data that is available for the selected entity.
    Nodal Graph showing context tooltip
    The context tooltip has two sections: Context Highlights and Actions.
    Context tooltip
    The information in the Context Highlights section helps you to determine the actions that you would like to take. It can show related data for Incidents, Alerts, Lists, Endpoint, and Live Connect. Depending on your data, you may be able to click these items for more information. The above example shows 430 related incidents, 665 alerts, 0 lists, and no information in NetWitness Endpoint or Live Connect that mentions the IP address entity, 192.168.144.254.

    The Actions section lists the available actions. In the above example, the Pivot to Investigate, Pivot to Endpoint, and Add/Remove from List options are available. For more information, see Pivot to Investigate, Pivot to NetWitness Endpoint, and Add an Entity to a Whitelist.
  2. To see more details about the selected entity, click the View Context button.
    The Context Lookup panel opens and shows all of the information related to the entity.
    The following example shows contextual information for a selected source IP address. It lists all of the incidents that mention the IP address.
    Context panel
    To understand the different views within the Context Hub Lookup panel, see
    Context Lookup Panel - Respond View .

Add an Entity to a Whitelist

You can add any underlined entity to a list, such as a Whitelist or Blacklist, from a context tooltip. For example, to reduce false positives, you may want to whitelist an underlined domain to exclude it from the related entities.

  1. In the Indicators panel, Events List, Event Details, or the Nodal Graph, hover over the underlined entity that you would like to add to a Context Hub list.
    A context tooltip appears showing the available actions.
    Nodal graph showing Add to List option
  2. In the ACTIONS section of the tooltip, click Add/Remove from List.
    The Add/Remove from List dialog shows the available lists.
    Add to List dialog
  3. Select one or more lists and click Save.
    The entity appears on the selected lists.
    Add/Remove from List Dialog provides additional information.

Create a List

You can create lists in Context Hub from the Respond view. In addition to using lists to whitelist and blacklist entities, you can use lists to monitor entities for abnormal behavior. For example, to improve the visibility of a suspicious IP address and Domain under investigation, you may want to include them in two separate lists. One list could be for domains suspected of being related to command and control connections, and another list could be for IP addresses related to remote access Trojan connections. You can then identify indicators of compromise using these lists.

To create a list in Context Hub:

  1. In the Indicators panel, Events List, Event Details, or the Nodal Graph, hover over the underlined entity that you would like to add to a Context Hub list.
    A context tooltip appears showing the available actions.
  2. In the ACTIONS section of the tooltip, click Add/Remove from List.
  3. In the Add/Remove from List dialog, click Create New List.
    Add/Remove from List dialog Create New List section
  4. Type a unique List NAME for the list. The list name is not case sensitive.
  5. (Optional) Type a DESCRIPTION for the list.
    Analysts with the appropriate permissions can also export lists in CSV format to send to other analysts for further tracking and analysis. The Context Hub Configuration Guide provides additional information.

Pivot to NetWitness Endpoint

If you have the NetWitness Endpoint thick client application installed, you can launch it through the context tooltip. From there, you can further investigate a suspicious IP address, Host, or MAC address.

  1. In the Indicators panel, Events List, Event Details, or the Nodal Graph, hover over any underlined entity to access a context tooltip.
  2. In the ACTIONS section of the tooltip, select Pivot to Endpoint.
    The NetWitness Endpoint application opens outside of your web browser.

For more information, see the NetWitness Endpoint User Guide.

Pivot to Investigate

For a more thorough investigation of the incident, you can access the Investigate view.

  1. In the Indicators panel, Events List, Event Details, or the Nodal Graph, hover over any underlined entity to access a context tooltip.
  2. In the ACTIONS section of the tooltip, select Pivot to Investigate.
    The Investigate Navigate view opens, which enables you to perform a deeper dive investigation.

For more information, see the Investigation and Malware Analysis User Guide.

Document Steps Taken Outside of NetWitness

The journal shows notes added by analysts and it enables you to collaborate with your peers. You can post notes to a journal, add Investigation Milestone tags (Reconnassance, Delivery, Exploitation, Installation, Command and control), and view the history of activity on your incident.

View the Journal Entries for an Incident

In the Incident Details view toolbar, click Journal icon .
Details view showing the Journal icon
The Journal appears on the right side of the Incident Details view.
Incident Details view showing Journal panel

The Journal shows the history of activity on an incident. For each journal entry, you can see the author and time of the entry.
Journal Panel

Add a Note

Typically, you will want to add a note to allow another analyst to understand the incident, or add a note for posterity so that your investigative steps are documented.

  1. At the bottom of the Journal panel, type your note in the New Journal Entry box.
    New Journal Entry example
  2. (Optional) Select an Investigation Milestone from the drop-down list (Reconnassance, Delivery, Exploitation, Installation, Command and Control, Action On Objective, Containment, Eradication, and Closure).

  3. After you finish your note, click, Submit.
    Your new journal entry appears in the Journal.
    Journal showing a successful joural entry

Delete a Note

  1. In the Journal panel, locate the journal entry that you would like to delete.
  2. Click the trash can (delete) icon Trash can (delete) icon next to the journal entry.
    Journal entry showing trash can (delete) icon
  3. In the confirmation dialog that appears, click OK to confirm that you want to delete the journal entry. This action cannot be reversed.
You are here
Table of Contents > Investigate the Incident

Attachments

    Outcomes