Respond: Investigate the Incident

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Jul 8, 2019
Version 11Show Document
  • View in full screen mode
 

To further investigate an incident within the Incident Details view, you can find links that take you to additional contextual information about the incident when it is available. This additional context can help you understand additional technical context and business context about a specific entity in the incident. It can also provide additional information that you may want to research to ensure that you understand the full scope of the incident.

You can perform the following procedures to further investigate an incident:

 

View Contextual Information

In the Indicators panel, Events List, or the Nodal Graph, you can view the underlined entities. If an entity is underlined, NetWitness Platform is populating information about that entity type in the Context Hub. There may be additional information available about that entity in the Context Hub.

The following figure shows underlined entities in the Indicators panel and the Nodal Graph.

Indicators panel and Nodal Graph showing underlined entities

The following figure shows underlined entities in the Events list details.

Event Details shows underlined entities

The Context Hub is preconfigured with meta fields mapped to the entities. NetWitness Respond and NetWitness Investigate use these default mappings for context lookup. For information about adding meta keys, see "Configure Settings for a Data Source" in the Context Hub Configuration Guide.

Caution: For the Context Lookup to work correctly in the Respond and Investigate views, RSA recommends that when mapping meta keys in the ADMIN > System > Investigation > Context Lookup tab, you add only meta keys to the Meta Key Mappings, not fields in the MongoDB. For example, ip.address is a meta key and ip_address is not a meta key (it is a field in the MongoDB).

To view contextual information:

  1. In the Indicators panel, Events List, or the Nodal Graph, hover over an underlined entity.
    A context tooltip appears with a quick summary of the type of context data that is available for the selected entity.
    Nodal Graph showing context tooltip
    The context tooltip has two sections: Context Highlights and Actions.
    Context tooltip
    The information in the Context Highlights section helps you to determine the actions that you would like to take. It can show related data for Incidents, Alerts, Lists, Endpoint, Live Connect, Criticality, Asset Risk, and Reputation. Depending on your data, you may be able to click these items for more information.
    The above example shows 41 related incidents, 274 alerts, 0 lists for the selected host, and no information available for endpoint, criticality, and asset risk.
  1. The Actions section lists the available actions. In the above example, the Add/Remove from List, Pivot to Investigate > Navigate, Pivot to Investigate > Hosts/Files and Pivot to Endpoint Thick Client options are available.

Note: The Pivot to Archer link is disabled when Archer data is not available or when the Archer data source is not responding. Check that the RSA Archer configuration is enabled and configured properly.

For more information, see Pivot to Investigate > Navigate, Pivot to Archer, Pivot to NetWitness Endpoint Thick Client, Pivot to Investigate > Hosts/Files, and Add an Entity to a Whitelist.

  1. To see more details about the selected entity, click the View Context button.
    The Context Lookup panel opens and shows all of the information related to the entity.
    The following example shows contextual information for a selected host. It lists all of the incidents that mention that host.
    Context panel

To understand the different views within the Context Hub Lookup panel, see
Context Lookup Panel - Respond View.

Add an Entity to a Whitelist

You can add any underlined entity to a list, such as a Whitelist or Blacklist, from a context tooltip. For example, to reduce false positives, you may want to whitelist an underlined domain to exclude it from the related entities.

  1. In the Indicators panel, Events List, or the Nodal Graph, hover over the underlined entity that you would like to add to a Context Hub list.
    A context tooltip appears showing the available actions.
    Add/Remove from List option accessed from the Events List
  2. In the ACTIONS section of the tooltip, click Add/Remove from List.
    The Add/Remove from List dialog shows the available lists.
    Add/Remove from List dialog with IP_Whitelist selected
  3. Select one or more lists and click Save.
    The entity appears on the selected lists.
    Add/Remove from List Dialog provides additional information.

Create a List

You can create lists in Context Hub from the Respond view. In addition to using lists to whitelist and blacklist entities, you can use lists to monitor entities for abnormal behavior. For example, to improve the visibility of a suspicious IP address and Domain under investigation, you may want to include them in two separate lists. One list could be for domains suspected of being related to command and control connections, and another list could be for IP addresses related to remote access Trojan connections. You can then identify indicators of compromise using these lists.

To create a list in Context Hub:

  1. In the Indicators panel, Events List, or the Nodal Graph, hover over the underlined entity that you would like to add to a Context Hub list.
    A context tooltip appears showing the available actions.
  2. In the ACTIONS section of the tooltip, click Add/Remove from List.
  3. In the Add/Remove from List dialog, click Create New List.
    Add/Remove from List dialog Create New List section
  4. Type a unique List NAME for the list. The list name is not case sensitive.
  5. (Optional) Type a DESCRIPTION for the list.
    Analysts with the appropriate permissions can also export lists in CSV format to send to other analysts for further tracking and analysis. The Context Hub Configuration Guide provides additional information.

View the Reputation Status of a File Hash

The File Reputation service available on RSA Live checks the reputation of every file hash against an extensive database of known file hashes updated in real-time. The file reputation is displayed on the Investigate and Respond views. On View Context lookup, if the reputation status changes, Context Hub notifies the change in reputation status to all Endpoint servers. Information about the file hash such as any suspicious or malicious activity on the file is populated from Context Hub. There may be additional information available about that entity in the Context Hub.

The following table describes the file hash reputations.

                                   
ReputationDescription
MaliciousFile hash is labeled as malicious.
SuspiciousFile hash is suspected to be malicious.
UnknownFile hash is not known.
KnownFile hash information is known to the file reputation service and does not have any previous bad record.

Known Good

File hash information is known good, such as files signed by Microsoft or RSA.

InvalidFile hash format is invalid.

Note: A reputation status is visible for a file hash entity only and File Reputation service supports maximum of 10 million files for a reputation of file hash..

The suspicious or malicious files are available for further analysis in the Investigate > Navigate view and Investigate > Event Analysis view. For more information on the file reputation service, see the Live Services Management Guide the Endpoint User Guide.

To view the reputation of a file hash:

    1. Go to RESPOND > Incidents.
    2. In the Incidents List view, choose an incident to view and then click the link in the ID or NAME column for that incident.
      The Incident Details view is displayed.
      Incidents List view

    1. Hover over the file hash entity.
      The context tooltip displays the reputation status of the selected file hash entity.

      Context tooltip showing Malicious Reputation

    2. Click View Context or REPUTATION to view the reputation status information.
    3. Click File Reputation datasource to view further details.
      The details for reputation status are displayed.
      File reputation details

  • Pivot to Investigate > Navigate

    For a more thorough investigation of the incident, you can access the Investigate Navigate view.

    1. In the Indicators panel, Events List, or the Nodal Graph, hover over any underlined entity to access a context tooltip.
    2. In the ACTIONS section of the tooltip, select Pivot to Investigate > Navigate.
      The Investigate Navigate view opens, which enables you to perform a deep dive investigation.

    For more information, see the NetWitness Investigate User Guide.

    Pivot to Investigate > Hosts/Files

    For a more thorough information about specific Hosts and Files, you can access the Investigate Hosts and Files views.

    1. In the Indicators panel, Events List, or the Nodal Graph, hover over any entity to access a context tooltip.
    2. In the ACTIONS section of the tooltip, select Pivot to Investigate > Hosts/Files.
      If you hover over a host or IP or MAC address entity and click Pivot to Investigate > Hosts/Files, it displays the Investigate > Hosts view with a specific host listed.
      If you hover over a filename or file hash entity and click Pivot to Investigate > Hosts/Files it displays the Investigate > Files view with a specific file listed.

    Note: By default, the search for entities is on the previously selected Endpoint Server. However, you can select a different Endpoint Server to fetch the information or data.

    For more information, see the NetWitness Investigate User Guide.

    Pivot to NetWitness Endpoint Thick Client

    If you have the NetWitness Endpoint thick client application installed, you can launch it through the context tooltip. From there, you can further investigate a suspicious IP address, Host, or MAC address.

    1. In the Indicators panel, Events List, or the Nodal Graph, hover over any underlined entity to access a context tooltip.
    2. In the ACTIONS section of the tooltip, select Pivot to Endpoint Thick Client.
      The NetWitness Endpoint thick client application opens outside of your web browser.

    For more information on the thick client, see the NetWitness Endpoint User Guide.

    Pivot to Archer

    For viewing more details about the device in RSA Archer® Cyber Incident & Breach Response, you can pivot to the device details page. This information is displayed only for IP address, host, and Mac address.

    1. In the Indicators panel, Events List, or the Nodal Graph, hover over any underlined entity (IP address, host, and Mac address) to access a context tooltip.
    2. In the ACTIONS section, select Pivot to Archer.
      Context tooltip from the nodal graph in the Incident Details view
    3. The device details page in RSA Archer Cyber Incident & Breach Response opens if you are logged in to the application, otherwise the login screen is displayed.

    RSA Archer Cyber Incident & Breach Response

    Note: The Pivot to Archer link is disabled when Archer data is not available or when the Archer Datasource is not responding. Check that the RSA Archer configuration is enabled and configured properly.

    For more information, see the RSA Archer Integration Guide.

    View Event Analysis Details for Indicators

    In the Incident Details view Indicators panel, you can drill deeper into the events associated with the listed indicators to get a better understanding of the events. In the Event Analysis panel, you can view raw events and metadata with interactive features that enhance your ability to find meaningful patterns in the data. You can examine network, log, and endpoint events in the Event Analysis panel. The Event Analysis panel in the Respond view shows the Event Analysis view from Investigate for specific indicator events. For detailed information about the Event Analysis view, see the NetWitness Investigate User Guide.

    Note: You must have the following Investigate-server permissions to view Event Analysis in the Respond view:
    event.read
    content.reconstruct
    content.export
    Event Analysis requires all Core services to be on NetWitness 11.2 or greater.

    Migration Considerations

    Migrated incidents from NetWitness Platform versions before 11.2 will not show the Event Analysis panel in the Respond Incident Details view Indicators panel. Likewise, if you use alerts that were migrated from versions before 11.2 to create incidents in 11.3, you will also not be able to view the Event Analysis panel in the Respond view for those incidents.

    To access Event Analysis details for an event in the Indicators panel:

    1. Go to RESPOND > Incidents.
    2. In the Incidents List view, choose an incident to view and then click the link in the ID or NAME column for that incident.
      The Incident Details view is displayed.
    3. In the left panel of the Incident Details view, select INDICATORS.
      Incident Details view with Indicators panel in view
      Data source information is shown below the names of the indicators. You can also see the creation date and time as well as the number of events in the indicator. If Event Analysis (EA) information is available, you can see an EA icon in front of the event count as shown in the following figure.
      Event with EA icon visible
    4. Click an event count with an EA icon to view additional event information.
      Indicators panel showing additional event details
    5. Click an event type hyperlink within the event to open the Event Analysis panel. In the following example, the event type is Network.
      Indicators panel showing event type hyperlink
      The Event Analysis panel shows event details for the event, such as packet analysis details. The information available can vary based on the event type.
      Incident Details view showing the Event Analysis panel for the selected event
      For detailed information about the Event Analysis view, see the NetWitness Investigate User Guide.

    Note: If you want to send the Event Analysis URL link to another analyst, you can copy the event type hyperlink.

    View User Entity Behavior Analytics for Indicators

    RSA NetWitness UEBA (User and Entity Behavior Analytics) is an advanced analytics solution for discovering, investigating, and monitoring risky behaviors across all users and entities in your network environment. You can access UEBA from the Respond Incident Details view Indicators panel. Indicators with a User Entity Behavior Analytics hyperlink have additional UEBA information available. For detailed information about UEBA, see the NetWitness UEBA User Guide.

    UEBA in the Respond Incident Details view

    Document Steps Taken Outside of NetWitness

    The journal shows notes added by analysts and it enables you to collaborate with your peers. You can post notes to a journal, add Investigation Milestone tags (Reconnaissance, Delivery, Exploitation, Installation, Command and Control, Action on Objective, Containment, Eradication, and Closure), and view the history of activity on your incident.

    View the Journal Entries for an Incident

    In the Incident Details view toolbar, click Journal icon .
    Details view showing the Journal icon
    The Journal appears on the right side of the Incident Details view.
    Incident Details view showing Journal panel

    The Journal shows the history of activity on an incident. For each journal entry, you can see the author and time of the entry.
    Journal Panel

    Add a Note

    Typically, you will want to add a note to allow another analyst to understand the incident, or add a note for posterity so that your investigative steps are documented.

    1. At the bottom of the Journal panel, type your note in the New Journal Entry box.
      New Journal Entry example
    2. (Optional) Select an Investigation Milestone from the drop-down list (Reconnaissance, Delivery, Exploitation, Installation, Command and Control, Action On Objective, Containment, Eradication, and Closure).

    3. After you finish your note, click, Submit.
      Your new journal entry appears in the Journal.
      Journal showing a successful joural entry

    Delete a Note

    1. In the Journal panel, locate the journal entry that you would like to delete.
    2. Click the trash can (delete) icon Trash can (delete) icon next to the journal entry.
      Journal entry showing trash can (delete) icon
    3. In the confirmation dialog that appears, click OK to confirm that you want to delete the journal entry. This action cannot be reversed.

    You are here
    Table of Contents > Investigate the Incident

    Attachments

      Outcomes