Respond: Responding to Incidents

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 15, 2017
Version 6Show Document
  • View in full screen mode
  

The Respond view is designed to help you quickly identify the ongoing issues in your network and work with other Analysts to quickly solve the issues.

The Respond view presents Incident Responders with a queue of incidents in severity order. When you take an incident from the queue, you receive relevant supporting data to help you investigate the incident. This enables you to determine the incident scope so you can escalate or remediate it as appropriate.

Within the Respond view, you can see Incidents, Alerts, and Tasks:

  • Incidents: Enables you to respond to and manage incidents from start to finish.
  • Alerts: Enables you to manage alerts from all sources received by NetWitness Suite and create incidents from selected alerts.
  • Tasks: Enables you to view and manage the complete list of tasks created for all incidents.

If you navigate to RESPOND > Incidents, you can see the Incidents List view and from there you can access the Incident Details view for a selected incident. These are the main views that you use to respond to incidents. The following figure shows the list of prioritized incidents in the Incidents List view.

Respond view - Incidents List view

The next figure shows an example of details available in the Incident Details view.

Incident Details View

The Respond view is designed to make it easy to evaluate incidents, contextualize that data, collaborate with other analysts, and pivot to a deep-dive investigation as needed.

Responding to Incidents Workflow

This workflow shows the high-level process that Incident Responders use to respond to incidents in NetWitness Suite.

High-level workflow for responding to incidents

First, you review the list of prioritized incidents, which shows basic information about each incident, and determine which incidents require action. You can click a link in an incident to get a clearer picture of the incident with supporting details in the Incident Details view. From there, you can further investigate the incident. You can then determine how to respond to the incident, by escalating or remediating it.

These are the basic steps for responding to an incident:

  1. Review Prioritized Incident List
  2. Determine which Incidents Require Action
  3. Investigate the Incident
  4. Escalate or Remediate the Incident

 

Review Prioritized Incident List

In the Respond view, you can view the list of prioritized incidents. The incident list shows both active and closed incidents.

View the Incidents List

After logging in to NetWitness Suite, most Incident Responders see the Respond view, which is set as the default view. If you have a different initial view, you can navigate to the Respond view.

  1. Log in to NetWitness Suite.
    The Respond view shows the list of incidents, also referred to as the Incident List view.
    Respond view - Incidents List view
  2. If you do not see the incidents list in the Respond view, go to RESPOND > Incidents.
  3. Scroll through the incidents list, which shows basic information about each incident as described in the following table.
                                           
ColumnDescription
CREATEDShows the creation date of the incident.
PRIORITYShows the incident priority. Priority can be Critical, High, Medium or Low.

The Priority is color coded, where red indicates a Critical incident, orange represents a High risk incident, yellow indicates a Medium risk incident, and green represents a Low risk incident. For example:

Shows Risk Levels

RISK SCORE

Shows the incident risk score. The risk score indicates the risk of the incident as calculated via an algorithm and is between 0-100. 100 is the highest risk score.

IDShows the automatically created incident number. Each incident is assigned a unique number that you can use to track the incident.
NAMEShows the incident name. The incident name is derived from the rule used to trigger the incident. Click the link to go to the Incident Details view for the selected incident.
STATUS

Shows the incident status. The status can be: New, Assigned, In Progress, Task Requested, Task Complete, Closed, and Closed- False Positive.

ASSIGNEEShows the team member currently assigned to the incident.
ALERTSShows the number of alerts associated with the incident. An incident may include many alerts. A large number of alerts might mean that you are experiencing a large-scale attack.

At the bottom of the list, you can see the number of incidents on the current page, the total number of incidents, and the number selected. For example: Showing 1000 out of 1115 items | 3 selected. The maximum number of incidents that you can view at one time is 1,000.

 

Filter the Incident List

The number of incidents in the Incidents List view can be very large, making it difficult to locate particular incidents. The Filter enables you to specify those incidents that you would like to view. You can also choose the timeframe when those incidents occurred. For example, you may want to view all of the new critical incidents created within the last hour.

  1. Verify that the Filters panel appears to the left of the incidents list. If you do not see the Filters panel, in the Incident List view toolbar, click Filter icon, which opens the Filters panel.
    Filters panel
  2.  In the Filters panel, select one or more options to filter the incidents list:
    • TIME RANGE: You can select a specific time period from the Time Range drop-down list. The time range is based on the creation date of the incidents. For example, if you select Last Hour, you will see incidents that were created within the last 60 minutes.
    • CUSTOM DATE RANGE: You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of Custom Date Range to view the Start Date and End Date fields. Select the dates and times from the calendar.
      Custom Date Range option in the filter
    • INCIDENT ID: Type the Incident ID for an incident you would like to locate, for example INC-1050.
    • PRIORITY: Select the priorities that you would like to view.
    • STATUS: Select one or more incident statuses. For example, select Closed - False Positive to view only false positive incidents, which were initially identified as suspicious, but then they were later found to be safe.
    • ASSIGNEE: Select the assignee or assignees of the incidents that you would like to view. For example, if you only want to view the incidents assigned to Cale or Stanley, select Cale and Stanley from the Assignee drop-down list. If you want to view incidents regardless of the assignee, do not make a selection under Assignee.
    • CATEGORIES: Select one or more categories from the drop-down list. For example, if you only want to view incidents classified with the Backdoor or Privilege abuse categories, select Backdoor and Privilege abuse.

    The incidents list shows a list of incidents that meet your selection criteria. You can see the number of incidents in your filtered list at the bottom of the incident list.
    Number of incidents shown in the Incident List footer

  3. Click Close (x) icon to close the Filters panel and return to the Incidents List view, which now shows your filtered incidents.
  4.  

Remove My Filters from the Incident List View

NetWitness Suite remembers your filter selections in the Incident List view. You can remove your filter selections when you no longer need them. For example, if you are not seeing the number of incidents that you expect to see or you want to view all of the incidents in your incident list, you can reset your filters.

  1. In the Incident List view toolbar, click Filter icon.
    The Filters panel appears to the left of the incidents list.
  2. At the bottom of the Filters panel, click Reset Filters.

 

View My Incidents

You can view your incidents by filtering the incidents by your username.

  1. If you cannot see the Filter panel, in the Incident List view toolbar, click Filter icon.
  2. In the Filter panel, under ASSIGNEE, select your username from the drop-down list.
    The incidents list shows the incidents that are assigned to you.

 

Find an Incident

If you know the Incident ID, you can quickly locate an incident using the Filter. For example, you may want to locate a specific incident out of thousands of incidents.

  1. Go to RESPOND > Incidents.
    The Filters panel appears to the left of the incidents list. If you do not see the Filters panel, in the Incident Lists view toolbar, click Filter icon, which opens the Filters panel.
    Incidents List Filters panel showing example search for an incident in the INCIDENT ID field
  2. In the INCIDENT ID field, type the INCIDENT ID for an incident that you would like to locate, for example INC-1110.

    The specified incident appears in your incident list. If you do not see any results, try resetting your filters.
    Incidents List showing the result of an Incident ID filter

Sort the Incidents List

The default sort for the incidents list is by Created date in descending order (newest on the top).

Incidents List showing default sort column "Created"

You change the sort order of the incidents list by clicking a column in the list.

For example, to prioritize the incidents, you can sort your view by the Priority column. To do this, hover over the Priority column and click the down arrow Down arrow icon. The incident list sorts by Priority in descending order (highest priority on top), as shown in the following figure.

Incident List showing sort by Priority descending

To sort by Priority in ascending order (lowest priority on top), click the up arrow Up arrow icon. as shown in the following figure.

Incident List showing sort by Priority ascending

 

Assign Incidents to Myself

  1. In the Incident List view, select one or more incidents that you want to assign to yourself.
  2. Click Change Assignee and select your username from the drop-down list.
    Incidents List showing Assignee drop-down list
  3. If you selected more than one incident, in the Confirm Update dialog, click OK.
    Confirm Update dialog

You will see a successful change notification.
Incident List showing success message

You are here
Table of Contents > Responding to Incidents

Attachments

    Outcomes