Respond: Investigate the Incident

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 9Show Document
  • View in full screen mode
 

To further investigate an incident within the Incident Details view, you can find links that take you to additional contextual information about the incident when it is available. This additional context can help you understand additional technical context and business context about a specific entity in the incident. It can also provide additional information that you may want to research to ensure that you understand the full scope of the incident.

View Contextual Information

In the Indicators panel, Events List panel, Event Details panel, or the Nodal Graph, you can see underlined entities. If an entity is underlined, NetWitness Platform is populating information about that entity type in the Context Hub. There may be additional information available about that entity in the Context Hub.

The following figure shows underlined entities in the Indicators panel and the Nodal Graph.

Indicators panel and Nodal Graph showing underlined entities

The following figure shows underlined entities in the Event Details panel.

Event Details panel showing underlined entities

The Context Hub is preconfigured with meta fields mapped to the entities. NetWitness Respond and Respond Investigate use these default mappings for context lookup. For information about adding meta keys, see "Configure Settings for a Data Source" in the Context Hub Configuration Guide.

Caution: For the Context Lookup to work correctly in the Respond and Investigate views, RSA recommends that when mapping meta keys in the ADMIN > System > Investigation > Context Lookup tab, you add only meta keys to the Meta Key Mappings, not fields in the MongoDB. For example, ip.address is a meta key and ip_address is not a meta key (it is a field in the MongoDB).

To view contextual information:

  1. In the Indicators panel, Events List, Event Details, or the Nodal Graph, hover over an underlined entity.
    A context tooltip appears with a quick summary of the type of context data that is available for the selected entity.
    Nodal Graph showing context tooltip
    The context tooltip has two sections: Context Highlights and Actions.
    Context tooltip
    The information in the Context Highlights section helps you to determine the actions that you would like to take. It can show related data for Incidents, Alerts, Lists, Endpoint, Live Connect, Criticality and Asset Risk. Depending on your data, you may be able to click these items for more information.
    The above example shows 30 related incidents, 36 alerts, 1 list for the selected IP, LOW endpoint, HIGH criticality, and HIGH asset risk. There is no information available for Live Connect that mentions the selected IP address entity.
  1. The Actions section lists the available actions. In the above example, the Add/Remove from List, Pivot to Investigate > Navigate, Pivot to Archer, and Pivot to Endpoint Thick Client options are available.

Note: The Pivot to Archer link is disabled when Archer data is not available or when the Archer data source is not responding. Check that the RSA Archer configuration is enabled and configured properly.

For more information, see Pivot to Investigate > Navigate, Pivot to Archer, Pivot to NetWitness Endpoint Thick Client, and Add an Entity to a Whitelist.

  1. To see more details about the selected entity, click the View Context button.
    The Context Lookup panel opens and shows all of the information related to the entity.
    The following example shows contextual information for a selected IP address. It lists all of the incidents that mention the IP address.
    Context panel

To understand the different views within the Context Hub Lookup panel, see
Context Lookup Panel - Respond View .

Add an Entity to a Whitelist

You can add any underlined entity to a list, such as a Whitelist or Blacklist, from a context tooltip. For example, to reduce false positives, you may want to whitelist an underlined domain to exclude it from the related entities.

  1. In the Indicators panel, Events List, Event Details, or the Nodal Graph, hover over the underlined entity that you would like to add to a Context Hub list.
    A context tooltip appears showing the available actions.
    Nodal graph showing Add to List option
  2. In the ACTIONS section of the tooltip, click Add/Remove from List.
    The Add/Remove from List dialog shows the available lists.
    Add to List dialog
  3. Select one or more lists and click Save.
    The entity appears on the selected lists.
    Add/Remove from List Dialog provides additional information.

Create a List

You can create lists in Context Hub from the Respond view. In addition to using lists to whitelist and blacklist entities, you can use lists to monitor entities for abnormal behavior. For example, to improve the visibility of a suspicious IP address and Domain under investigation, you may want to include them in two separate lists. One list could be for domains suspected of being related to command and control connections, and another list could be for IP addresses related to remote access Trojan connections. You can then identify indicators of compromise using these lists.

To create a list in Context Hub:

  1. In the Indicators panel, Events List, Event Details, or the Nodal Graph, hover over the underlined entity that you would like to add to a Context Hub list.
    A context tooltip appears showing the available actions.
  2. In the ACTIONS section of the tooltip, click Add/Remove from List.
  3. In the Add/Remove from List dialog, click Create New List.
    Add/Remove from List dialog Create New List section
  4. Type a unique List NAME for the list. The list name is not case sensitive.
  5. (Optional) Type a DESCRIPTION for the list.
    Analysts with the appropriate permissions can also export lists in CSV format to send to other analysts for further tracking and analysis. The Context Hub Configuration Guide provides additional information.

Pivot to Investigate > Navigate

For a more thorough investigation of the incident, you can access the Investigate Navigate view.

  1. In the Indicators panel, Events List, Event Details, or the Nodal Graph, hover over any underlined entity to access a context tooltip.
  2. In the ACTIONS section of the tooltip, select Pivot to Investigate > Navigate.
    The Investigate Navigate view opens, which enables you to perform a deeper dive investigation.

For more information, see the NetWitness Investigate User Guide.

Pivot to Archer

For viewing more details about the device in RSA Archer® Cyber Incident & Breach Response, you can pivot to the device details page. This information is displayed only for IP address, host, and Mac address.

  1. In the Indicators panel, Events List, Event Details, or the Nodal Graph, hover over any underlined entity (IP address, host, and Mac address) to access a context tooltip.
  2. In the ACTIONS section, select Pivot to Archer.
  3. The device details page in RSA Archer Cyber Incident & Breach Response opens if you are logged in to the application, otherwise the login screen is displayed.

Note: The Pivot to Archer link is disabled when Archer data is not available or when the Archer Datasource is not responding. Check that the RSA Archer configuration is enabled and configured properly.

For more information, see the RSA Archer Integration Guide.

Pivot to NetWitness Endpoint Thick Client

If you have the NetWitness Endpoint thick client application installed, you can launch it through the context tooltip. From there, you can further investigate a suspicious IP address, Host, or MAC address.

  1. In the Indicators panel, Events List, Event Details, or the Nodal Graph, hover over any underlined entity to access a context tooltip.
  2. In the ACTIONS section of the tooltip, select Pivot to Endpoint Thick Client.
    The NetWitness Endpoint thick client application opens outside of your web browser.

For more information on the thick client, see the NetWitness Endpoint User Guide.

View Event Analysis Details for Indicators

In the Incident Details view Indicators panel, you can drill deeper into the events associated with the listed indicators to get a better understanding of the events. In the Event Analysis panel, you can view raw events and metadata with interactive features that enhance your ability to find meaningful patterns in the data. You can examine network, log, and endpoint events in the Event Analysis panel. The Event Analysis panel in the Respond view shows the Event Analysis view from Investigate for specific indicator events. For detailed information about the Event Analysis view, see the NetWitness Investigate User Guide.

Note: You must have the following Investigate-server permissions to view Event Analysis in the Respond view:
event.read
content.reconstruct
content.export

Migration Considerations

Migrated incidents from NetWitness Platform versions before 11.2 will not show the Event Analysis panel in the Respond Incident Details view Indicators panel. Likewise, if you use alerts that were migrated from versions before 11.2 to create incidents in 11.2, you will also not be able to view the Event Analysis panel in the Respond view for those incidents.

To access Event Analysis details for an event in the Indicators panel:

  1. Go to RESPOND > Incidents.
  2. In the Incidents List view, choose an incident to view and then click the link in the ID or NAME column for that incident.
    The Incident Details view is displayed.
  3. In the left panel of the Incident Details view, select INDICATORS.
    Incident Details view with Indicators panel in view
    Data source information is shown below the names of the indicators. You can also see the creation date and time as well as the number of events in the indicator. If Event Analysis (EA) information is available, you can see an EA icon in front of the event as shown in the following figure.
    Event with EA icon visible
  4. Click an event with an EA icon to view additional event information.
    Indicators panel showing additional event details
  5. Click an event type hyperlink within the event to open the Event Analysis panel. In the following example, the event type is Network.
    Indicators panel showing event type hyperlink
    The Event Analysis panel shows event details for the event, such as packet analysis details. The information available can vary based on the event type.
    Incident Details view showing the Event Analysis panel for the selected event
    For detailed information about the Event Analysis view, see the NetWitness Investigate User Guide.

Note: If you want to send the Event Analysis URL link to another analyst, you can copy the event type hyperlink.

Document Steps Taken Outside of NetWitness

The journal shows notes added by analysts and it enables you to collaborate with your peers. You can post notes to a journal, add Investigation Milestone tags (Reconnaissance, Delivery, Exploitation, Installation, Command and Control, Action on Objective, Containment, Eradication, and Closure), and view the history of activity on your incident.

View the Journal Entries for an Incident

In the Incident Details view toolbar, click Journal icon .
Details view showing the Journal icon
The Journal appears on the right side of the Incident Details view.
Incident Details view showing Journal panel

The Journal shows the history of activity on an incident. For each journal entry, you can see the author and time of the entry.
Journal Panel

Add a Note

Typically, you will want to add a note to allow another analyst to understand the incident, or add a note for posterity so that your investigative steps are documented.

  1. At the bottom of the Journal panel, type your note in the New Journal Entry box.
    New Journal Entry example
  2. (Optional) Select an Investigation Milestone from the drop-down list (Reconnaissance, Delivery, Exploitation, Installation, Command and Control, Action On Objective, Containment, Eradication, and Closure).

  3. After you finish your note, click, Submit.
    Your new journal entry appears in the Journal.
    Journal showing a successful joural entry

Delete a Note

  1. In the Journal panel, locate the journal entry that you would like to delete.
  2. Click the trash can (delete) icon Trash can (delete) icon next to the journal entry.
    Journal entry showing trash can (delete) icon
  3. In the confirmation dialog that appears, click OK to confirm that you want to delete the journal entry. This action cannot be reversed.

View Reputation Status of Filehash

You can view the reputation status of a filehash. The information is populated about the filehash from the Context Hub. There may be additional information available about that entity in the Context Hub.

To view contextual information:

  1. In the Incidents tab, click on an incident.
  2. Hover over a filehash.
  3. The Reputation Status is displayed.

You are here
Table of Contents > Investigate the Incident

Attachments

    Outcomes