An Incident is a logically grouped set of alerts created automatically by the Incident Aggregation Engine and grouped by a specific criteria. An incident, available in the Respond view, allows an Analyst to triage, investigate, and remediate these groups of alerts. Incidents can be moved between users, notated, and explored using a nodal graph. Incidents allow users to ensure that they understand the full scope of an attack or event in their RSA NetWitness Platform system and then take action.
The Respond view is designed to help you quickly identify the ongoing issues in your network and work with other Analysts to quickly solve the issues.
The Respond view presents Incident Responders with a queue of incidents in severity order. When you take an incident from the queue, you receive relevant supporting data to help you investigate the incident. This enables you to determine the incident scope so you can escalate or remediate it as appropriate.
Within the Respond view, you can see Incidents, Alerts, and Tasks:
- Incidents: Enables you to respond to and manage incidents from start to finish.
- Alerts: Enables you to manage alerts from all sources received by NetWitness Platform and create incidents from selected alerts.
- Tasks: Enables you to view and manage the complete list of tasks created for all incidents.
If you navigate to Respond > Incidents, you can see the Incidents List view and from there you can access the Incident Details view for a selected incident. These are the main views that you use to respond to incidents. The following figure shows the list of prioritized incidents in the Incidents List view.
The next figure shows an example of details available in the Incident Details view.
The Respond view is designed to make it easy to evaluate incidents, contextualize that data, collaborate with other analysts, and pivot to a deep-dive investigation as needed. The following figure shows an example of an event analysis in the Incident Details view.
In NetWitness Platform Version 11.4 and later, alerts and incidents are also displayed in the Springboard by default. Springboard is a landing page for analysts showing them all risks detected by the platform in a single place. For more information on the Springboard, see "Managing the Springboard" in the NetWitness Platform Getting Started Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.
Responding to Incidents Workflow
This workflow shows the high-level process that Incident Responders use to respond to incidents in the Respond view.
First, you review the list of prioritized incidents, which shows basic information about each incident, and determine which incidents require action. You can click a link in an incident to get a clearer picture of the incident with supporting details in the Incident Details view. From there, you can further investigate the incident. You can then determine how to respond to the incident, by escalating or remediating it.
These are the basic steps for responding to an incident:
- Review Prioritized Incident List
- Determine which Incidents Require Action
- Investigate the Incident
- Escalate or Remediate the Incident
In the Respond view, you can view the list of prioritized incidents. The incident list shows both active and closed incidents.
This topic contains the following basic incident list procedures:
- View the Incidents List
- Filter the Incident List
- Remove My Filters from the Incidents List View
- Save the Current Incidents Filter
- Update a Saved Incidents Filter
- Delete a Saved Incidents Filter
- View My Incidents
- Find an Incident
- Sort the Incidents List
- View Unassigned Incidents
- Assign Incidents to Myself
- Unassign an Incident
After logging in to NetWitness Platform, most Incident Responders see the Respond view, which is set as the default view. If you have a different initial view, you can navigate to the Respond view.
- Log in to NetWitness Platform.
The Respond view shows the list of incidents, also referred to as the Incident List view.
- If you do not see the incidents list in the Respond view, go to Respond > Incidents.
- Scroll through the incidents list, which shows basic information about each incident as described in the following table.
At the bottom of the list, you can see the number of incidents on the current page, the total number of incidents, and the number selected. For example: Showing 1000 out of 1115 items | 3 selected. The maximum number of incidents that you can view at one time is 1,000.
The number of incidents in the Incidents List view can be very large, making it difficult to locate particular incidents. The Filter enables you to specify those incidents that you would like to view. You can also choose the timeframe when those incidents occurred. For example, you may want to view all of the new critical incidents created within the last hour.
- Verify that the Filters panel appears to the left of the incidents list. If you do not see the Filters panel, in the Incident List view toolbar, click , which opens the Filters panel.
- In the Filters panel, select one or more options to filter the incidents list:
- Time Range: You can select a specific time period from the Time Range drop-down list. The time range is based on the creation date of the incidents. For example, if you select Last Hour, you can see incidents that were created within the last 60 minutes.
- Custom Date Range: You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of Custom Date Range to view the Start Date and End Date fields. Select the dates and times from the calendar.
- Incident ID: Type the number of the incident that you would like to locate. For example, for INC-1050, type only the number "1050" to view the incident.
- Priority: Select the priorities that you would like to view.
- Status: Select one or more incident statuses. For example, select Closed - False Positive to view only false positive incidents, which were initially identified as suspicious, but then they were later found to be safe.
- Assignee: Select the assignee or assignees of the incidents that you would like to view. For example, if you only want to view the incidents assigned to Cale or Stanley, select Cale and Stanley from the Assignee drop-down list. If you want to view incidents regardless of the assignee, do not make a selection under Assignee.
(Available in version 11.1 and later) To view only unassigned incidents, select Show only unassigned incidents.
- Categories: Select one or more categories from the drop-down list. For example, if you only want to view incidents classified with the Backdoor or Privilege abuse categories, select Backdoor and Privilege abuse.
- Sent to Archer: (In version 11.2 and later, if RSA Archer is configured as a data source in Context Hub, you can send incidents to Archer Cyber Incident & Breach Response and this option will be available in NetWitness Respond.) To view incidents that were sent to Archer, select Yes. For incidents that were not sent to Archer, select No.
- If you want to close the Filters panel, click . Your filters remain in place until you remove them.
NetWitness Platform remembers your filter selections in the Incidents List view. You can remove your filter selections when you no longer need them. For example, if you are not seeing the number of incidents that you expect to see or you want to view all of the incidents in your incident list, you can reset your filters.
- In the Incident List view toolbar, click .
The Filters panel appears to the left of the incidents list.
- At the bottom of the Filters panel, click Reset.
Saved filters provide a way for analysts to save and quickly apply specific filter conditions to the list of incidents. You can also use these filters to customize the Springboard landing page. For example, you may want to create a filter to show only critical incidents over the last 24 hours.
Saved filters are global. You can save a filter for other analysts to use and you can use any saved filter.
- In the Filters panel, select one or more options to filter the incidents list. For example, in the Time Range field, select Last 24 Hours, and for Priority, select Critical.
- Click Save As and in the Save Filter dialog, enter a unique name for the filter and save it, for example Last24Hours-Critical.
The filter is added to the Saved Filters list.
- In the Filters panel Saved Filters drop-down list, select a saved filter.
- Update your filter selections and click Save.
When a saved filter is no longer required, you can remove it from the saved filters list. Filters used in the Springboard cannot be deleted.
- In the Filters panel, open the Saved Filters drop-down list.
- Next to the filter name, click to delete it.
You can view your incidents by filtering the incidents by your username.
- If you cannot see the Filter panel, in the Incidents List view toolbar, click .
- In the Filter panel, under Assignee, select Myself (your full name) from the drop-down list.
The incidents list shows the incidents that are assigned to you.
If you know the Incident ID, you can quickly locate an incident using the Filter. For example, you may want to locate a specific incident out of thousands of incidents.
- Go to Respond > Incidents.
The Filters panel is located to the left of the incidents list. If you do not see the Filters panel, in the Incident Lists view toolbar, click , which opens the Filters panel.
- In the INCIDENT ID field, type the Incident ID for an incident that you would like to locate, for example, type 25 for INC-25.
You can change the sort order of the incidents list by clicking a column header in the list.
For example, to prioritize the incidents, you can sort your view by clicking the Priority column header. The following figure shows the incidents list sorted by Priority in ascending order (lowest priority on top).
To sort by Priority in descending order (highest priority on top), click the Priority column header again. The highest priority incidents are at the top as shown in the following figure.
You can view unassigned incidents using the Filter.
- If you cannot see the Filter panel, in the Incident List view toolbar, click .
- In the Filters panel, under Assignee, select Show only unassigned incidents.
The incidents list is filtered to show unassigned incidents.
- In the Incident List view, select one or more incidents that you want to assign to yourself.
- Click Change Assignee and select Myself (your full name) from the drop-down list.
- If you selected more than one incident, in the Confirm Update dialog, click OK.
You can see a successful change notification.
- In the Incident List view, select one or more incidents that you want to unassign.
- Click Change Assignee and select (Unassigned) from the drop-down list.
- If you selected more than one incident, in the Confirm Update dialog, click OK.
- Verify that the Status is still correct and make changes as required. To change the status, select one or more incidents, click Change Status, and select a new status.
For example, if you assigned an incident to yourself by mistake, you can unassign the incident and then change the Status from Assigned back to New.