Respond: Responding to Incidents

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 9Show Document
  • View in full screen mode
 

An Incident is a logically grouped set of alerts created automatically by the Incident Aggregation Engine and grouped by a specific criteria. An incident, available in the Respond view, allows an Analyst to triage, investigate, and remediate these groups of alerts. Incidents can be moved between users, notated, and explored using a nodal graph. Incidents allow users to ensure that they understand the full scope of an attack or event in their RSA NetWitness® Platform system and then take action.

The Respond view is designed to help you quickly identify the ongoing issues in your network and work with other Analysts to quickly solve the issues.

The Respond view presents Incident Responders with a queue of incidents in severity order. When you take an incident from the queue, you receive relevant supporting data to help you investigate the incident. This enables you to determine the incident scope so you can escalate or remediate it as appropriate.

Within the Respond view, you can see Incidents, Alerts, and Tasks:

  • Incidents: Enables you to respond to and manage incidents from start to finish.
  • Alerts: Enables you to manage alerts from all sources received by NetWitness Platform and create incidents from selected alerts.
  • Tasks: Enables you to view and manage the complete list of tasks created for all incidents.

If you navigate to RESPOND > Incidents, you can see the Incidents List view and from there you can access the Incident Details view for a selected incident. These are the main views that you use to respond to incidents. The following figure shows the list of prioritized incidents in the Incidents List view.

Respond view - Incidents List view

The next figure shows an example of details available in the Incident Details view.

Incident Details View

The Respond view is designed to make it easy to evaluate incidents, contextualize that data, collaborate with other analysts, and pivot to a deep-dive investigation as needed. The following figure shows an example of an event analysis in the Incident Details view.

Incident Details view showing the Event Analysis panel

Responding to Incidents Workflow

This workflow shows the high-level process that Incident Responders use to respond to incidents in NetWitness Platform.

High-level workflow for responding to incidents

First, you review the list of prioritized incidents, which shows basic information about each incident, and determine which incidents require action. You can click a link in an incident to get a clearer picture of the incident with supporting details in the Incident Details view. From there, you can further investigate the incident. You can then determine how to respond to the incident, by escalating or remediating it.

These are the basic steps for responding to an incident:

  1. Review Prioritized Incident List
  2. Determine which Incidents Require Action
  3. Investigate the Incident
  4. Escalate or Remediate the Incident

 

Review Prioritized Incident List

In the Respond view, you can view the list of prioritized incidents. The incident list shows both active and closed incidents.

View the Incidents List

After logging in to NetWitness Platform, most Incident Responders see the Respond view, which is set as the default view. If you have a different initial view, you can navigate to the Respond view.

  1. Log in to NetWitness Platform.
    The Respond view shows the list of incidents, also referred to as the Incident List view.
    Incident List View
  2. If you do not see the incidents list in the Respond view, go to RESPOND > Incidents.
  3. Scroll through the incidents list, which shows basic information about each incident as described in the following table.
                                           
ColumnDescription
CREATEDShows the creation date of the incident.
PRIORITYShows the incident priority. Priority can be Critical, High, Medium or Low.

The Priority is color coded, where red indicates a Critical incident, orange represents a High risk incident, yellow indicates a Medium risk incident, and green represents a Low risk incident. For example:

Shows Risk Levels

RISK SCORE

Shows the incident risk score. The risk score indicates the risk of the incident as calculated using an algorithm and is between 0-100. 100 is the highest risk score.

IDShows the automatically created incident number. Each incident is assigned a unique number that you can use to track the incident.
NAMEShows the incident name. The incident name is derived from the rule used to trigger the incident. Click the link to go to the Incident Details view for the selected incident.
STATUS

Shows the incident status. The status can be: New, Assigned, In Progress, Task Requested, Task Complete, Closed, and Closed - False Positive.

ASSIGNEEShows the team member currently assigned to the incident.
ALERTSShows the number of alerts associated with the incident. An incident may include many alerts. A large number of alerts might mean that you are experiencing a large-scale attack.

At the bottom of the list, you can see the number of incidents on the current page, the total number of incidents, and the number selected. For example: Showing 1000 out of 1115 items | 3 selected. The maximum number of incidents that you can view at one time is 1,000.

Filter the Incident List

The number of incidents in the Incidents List view can be very large, making it difficult to locate particular incidents. The Filter enables you to specify those incidents that you would like to view. You can also choose the timeframe when those incidents occurred. For example, you may want to view all of the new critical incidents created within the last hour.

  1. Verify that the Filters panel appears to the left of the incidents list. If you do not see the Filters panel, in the Incident List view toolbar, click Filter icon, which opens the Filters panel.
    Incident Filters panel
  2.  In the Filters panel, select one or more options to filter the incidents list:
    • TIME RANGE: You can select a specific time period from the Time Range drop-down list. The time range is based on the creation date of the incidents. For example, if you select Last Hour, you can see incidents that were created within the last 60 minutes.
    • CUSTOM DATE RANGE: You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of Custom Date Range to view the Start Date and End Date fields. Select the dates and times from the calendar.
      Custom Date Range option in the filter
    • INCIDENT ID: Type the Incident ID for an incident you would like to locate, for example INC-1050.
    • PRIORITY: Select the priorities that you would like to view.
    • STATUS: Select one or more incident statuses. For example, select Closed - False Positive to view only false positive incidents, which were initially identified as suspicious, but then they were later found to be safe.
    • ASSIGNEE: Select the assignee or assignees of the incidents that you would like to view. For example, if you only want to view the incidents assigned to Cale or Stanley, select Cale and Stanley from the Assignee drop-down list. If you want to view incidents regardless of the assignee, do not make a selection under Assignee.
      (Available in version 11.1 and later) To view only unassigned incidents, select Show only unassigned incidents.
    • CATEGORIES: Select one or more categories from the drop-down list. For example, if you only want to view incidents classified with the Backdoor or Privilege abuse categories, select Backdoor and Privilege abuse.
    • SENT TO ARCHER: (In version 11.2 and later, if RSA Archer is configured as a data source in Context Hub, you can send incidents to Archer Cyber Incident & Breach Response and this option will be available in NetWitness Respond.) To view incidents that were sent to Archer, select Yes. For incidents that were not sent to Archer, select No.

    The incidents list shows a list of incidents that meet your selection criteria. You can see the number of incidents in your filtered list at the bottom of the incident list.
    Number of incidents shown in the Incident List footer

  3. Click Close (x) icon to close the Filters panel and return to the Incidents List view, which now shows your filtered incidents.

Remove My Filters from the Incident List View

NetWitness Platform remembers your filter selections in the Incident List view. You can remove your filter selections when you no longer need them. For example, if you are not seeing the number of incidents that you expect to see or you want to view all of the incidents in your incident list, you can reset your filters.

  1. In the Incident List view toolbar, click Filter icon.
    The Filters panel appears to the left of the incidents list.
  2. At the bottom of the Filters panel, click Reset Filters.

View My Incidents

You can view your incidents by filtering the incidents by your username.

  1. If you cannot see the Filter panel, in the Incident List view toolbar, click Filter icon.
  2. In the Filter panel, under ASSIGNEE, select your username from the drop-down list.
    The incidents list shows the incidents that are assigned to you.

Find an Incident

If you know the Incident ID, you can quickly locate an incident using the Filter. For example, you may want to locate a specific incident out of thousands of incidents.

  1. Go to RESPOND > Incidents.
    The Filters panel appears to the left of the incidents list. If you do not see the Filters panel, in the Incident Lists view toolbar, click Filter icon, which opens the Filters panel.
    Part of Incidents List Filters panel showing example search for an incident in the INCIDENT ID field
  2. In the INCIDENT ID field, type the Incident ID for an incident that you would like to locate, for example INC-36.

    The specified incident appears in your incident list. If you do not see any results, try resetting your filters.
    Incidents List showing the result of an Incident ID filter

Sort the Incidents List

The default sort for the incidents list is by Created date in descending order down arrow graphic (newest on the top).

Incidents List showing default sort column "Created"

You can change the sort order of the incidents list by clicking a column header in the list.

For example, to prioritize the incidents, you can sort your view by clicking the Priority column header. The following figure shows the incidents list sorted by Priority in ascending order Up arrow icon (lowest priority on top).

Incident List showing sort by Priority ascending

To sort by Priority in descending order (highest priority on top), click the Priority column header again. The highest priority incidents are at the top as shown in the following figure.

Incident List showing sort by Priority descending

View Unassigned Incidents

Note: This option is available in version 11.1 and later.

You can view unassigned incidents using the Filter.

  1. If you cannot see the Filter panel, in the Incident List view toolbar, click Filter icon.
  2. In the Filters panel, under ASSIGNEE, select Show only unassigned incidents.
    "Show only unassigned incidents" option filter selection
    The incidents list is filtered to show unassigned incidents.

Assign Incidents to Myself

  1. In the Incident List view, select one or more incidents that you want to assign to yourself.
  2. Click Change Assignee and select your username from the drop-down list.
    Incidents List showing Assignee drop-down list
  3. If you selected more than one incident, in the Confirm Update dialog, click OK.
    Confirm Update dialog

You can see a successful change notification.
Incident List showing success message

Unassign an Incident

  1. In the Incident List view, select one or more incidents that you want to unassign.
  2. Click Change Assignee and select (Unassigned) from the drop-down list.
    Incidents List showing Assignee drop-down list with (Unassign) selected
  3. If you selected more than one incident, in the Confirm Update dialog, click OK.
    Confirm Update dialog for Unassign
  4. Verify that the Status is still correct and make changes as required. To change the status, select one or more incidents, click Change Status, and select a new status.
    For example, if you assigned an incident to yourself by mistake, you can unassign the incident and then change the Status from Assigned back to New.


You are here
Table of Contents > Responding to Incidents

Attachments

    Outcomes