Did you know that you can use Respond for data exploration, even if you aren't using it for Incident Management? While the naming convention certainly does not suggest it, Respond can be just as useful outside of incident response a place for analysts to group events of interest during investigation and hunting efforts. Using Respond as more of an analyst workspace can help teams collaborate better, track streams of thought, and take advantage of Respond's new and improved visualization capabilities as of 11.4 (see https://community.rsa.com/community/products/netwitness/staging/pm-ux/blog/2020/01/30/visualization-enhancements-in-rsa-netwitness-platform-114 for details).
Step 1 - Create an "Incident" from Events view
Once you have a set of data that carries significance, you can select any set or subset of events contained in a data set and use it to create a new "Incident". For our purposes here, you'll have to look past the current naming conventions of Alerts and Incidents and just think of it as a grouping of events (log, endpoint, or network sessions).
What data sets to use is largely up to you, but this type of approach is particularly useful when following a methodology that requires systematically carving larger data sets into smaller, more manageable ones. The example above is based on RSA's Network Hunting Guide, details of which can be found here: RSA NetWitness Hunting Guide
Step 2 - Open in Respond
Once opened, all of the capabilities available when using Respond for Incident Management are available. It doesn't mean you have to use all of them, but you may find some of them to be a handy way to tag in other analysis (Tasks) and keep track of your analysis (Journal). And if you do happen to find something malicious in the data set, all of the relevant information is already contained.
In the example above, we're seeing if anything interesting shows up in the data set for "All outbound HTTP sessions using the POST method". The nodal diagram can be a useful way to see how the data is distributed between entities (larger bubbles meaning a larger number of events), which sub data sets within the larger one are dealing with disjoint sets of entities (Files, Hosts, IPs, Users, MAC Addresses), and can key your eye towards groupings that lead to deeper levels of inspection.
Step 3 - Use Respond Tools to Track, Pivot, and Collaborate
View Event Cards
In-line Event Reconstruction (eg. Network Reconstruction)
Entity Details - Pivot To Other Views
Add New Events
And don't forget that you can always add more events to the same Respond incident to expand investigation if more leads are uncovered. Simply start from the top, and "Add To Incident".
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.