The Respond view is designed to help you quickly identify the ongoing issues in your network and work with other Analysts to quickly solve the issues.
The Respond view presents Incident Responders with a queue of incidents in severity order. When you take an incident from the queue, you receive relevant supporting data to help you investigate the incident. This enables you to determine the incident scope so you can escalate or remediate it as appropriate.
Within the Respond view, you can see Incidents, Alerts, and Tasks:
- Incidents: Enables you to respond to and manage incidents from start to finish.
- Alerts: Enables you to manage alerts from all sources received by NetWitness Suite and create incidents from selected alerts.
- Tasks: Enables you to view and manage the complete list of tasks created for all incidents.
If you navigate to RESPOND > Incidents, you can see the Incidents List view and from there you can access the Incident Details view for a selected incident. These are the main views that you use to respond to incidents. The following figure shows the list of prioritized incidents in the Incidents List view.
The next figure shows an example of details available in the Incident Details view.
The Respond view is designed to make it easy to evaluate incidents, contextualize that data, collaborate with other analysts, and pivot to a deep-dive investigation as needed.
Responding to Incidents Workflow
This workflow shows the high-level process that Incident Responders use to respond to incidents in NetWitness Suite.
First, you review the list of prioritized incidents, which shows basic information about each incident, and determine which incidents require action. You can click a link in an incident to get a clearer picture of the incident with supporting details in the Incident Details view. From there, you can further investigate the incident. You can then determine how to respond to the incident, by escalating or remediating it.
These are the basic steps for responding to an incident:
- Review Prioritized Incident List
- Determine which Incidents Require Action
- Investigate the Incident
- Escalate or Remediate the Incident
In the Respond view, you can view the list of prioritized incidents. The incident list shows both active and closed incidents.
View the Incidents List
After logging in to NetWitness Suite, most Incident Responders see the Respond view, which is set as the default view. If you have a different initial view, you can navigate to the Respond view.
- Log in to NetWitness Suite.
The Respond view shows the list of incidents, also referred to as the Incident List view.
- If you do not see the incidents list in the Respond view, go to RESPOND > Incidents.
- Scroll through the incidents list, which shows basic information about each incident as described in the following table.
At the bottom of the list, you can see the number of incidents on the current page, the total number of incidents, and the number selected. For example: Showing 1000 out of 1115 items | 3 selected. The maximum number of incidents that you can view at one time is 1,000.
The number of incidents in the Incidents List view can be very large, making it difficult to locate particular incidents. The Filter enables you to specify those incidents that you would like to view. You can also choose the timeframe when those incidents occurred. For example, you may want to view all of the new critical incidents created within the last hour.
- Verify that the Filters panel appears to the left of the incidents list. If you do not see the Filters panel, in the Incident List view toolbar, click , which opens the Filters panel.
- In the Filters panel, select one or more options to filter the incidents list:
- TIME RANGE: You can select a specific time period from the Time Range drop-down list. The time range is based on the creation date of the incidents. For example, if you select Last Hour, you will see incidents that were created within the last 60 minutes.
- CUSTOM DATE RANGE: You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of Custom Date Range to view the Start Date and End Date fields. Select the dates and times from the calendar.
- INCIDENT ID: Type the Incident ID for an incident you would like to locate, for example INC-1050.
- PRIORITY: Select the priorities that you would like to view.
- STATUS: Select one or more incident statuses. For example, select Closed - False Positive to view only false positive incidents, which were initially identified as suspicious, but then they were later found to be safe.
- ASSIGNEE: Select the assignee or assignees of the incidents that you would like to view. For example, if you only want to view the incidents assigned to Cale or Stanley, select Cale and Stanley from the Assignee drop-down list. If you want to view incidents regardless of the assignee, do not make a selection under Assignee.
- CATEGORIES: Select one or more categories from the drop-down list. For example, if you only want to view incidents classified with the Backdoor or Privilege abuse categories, select Backdoor and Privilege abuse.
- Click to close the Filters panel and return to the Incidents List view, which now shows your filtered incidents.
Remove My Filters from the Incident List View
NetWitness Suite remembers your filter selections in the Incident List view. You can remove your filter selections when you no longer need them. For example, if you are not seeing the number of incidents that you expect to see or you want to view all of the incidents in your incident list, you can reset your filters.
- In the Incident List view toolbar, click .
The Filters panel appears to the left of the incidents list.
- At the bottom of the Filters panel, click Reset Filters.
You can view your incidents by filtering the incidents by your username.
- If you cannot see the Filter panel, in the Incident List view toolbar, click .
- In the Filter panel, under ASSIGNEE, select your username from the drop-down list.
The incidents list shows the incidents that are assigned to you.
If you know the Incident ID, you can quickly locate an incident using the Filter. For example, you may want to locate a specific incident out of thousands of incidents.
- Go to RESPOND > Incidents.
The Filters panel appears to the left of the incidents list. If you do not see the Filters panel, in the Incident Lists view toolbar, click , which opens the Filters panel.
- In the INCIDENT ID field, type the INCIDENT ID for an incident that you would like to locate, for example INC-1110.
Sort the Incidents List
The default sort for the incidents list is by Created date in descending order (newest on the top).
You change the sort order of the incidents list by clicking a column in the list.
For example, to prioritize the incidents, you can sort your view by the Priority column. To do this, hover over the Priority column and click the down arrow . The incident list sorts by Priority in descending order (highest priority on top), as shown in the following figure.
- In the Incident List view, select one or more incidents that you want to assign to yourself.
- Click Change Assignee and select your username from the drop-down list.
- If you selected more than one incident, in the Confirm Update dialog, click OK.