I'm curious to see if anyone is really using the Incident Management module within NetWitness. I personally find it a little lacking in most posts but we want to start to use it to better manage incidents.
We don't use Archer but I wondered if it could be used in conjuntion with something like Jira.
Thanks.
Hi Kyle,
Thanks for your reply. Actually it sounds like you use incident management the way we are wanting to use it. We capture IOCs within incident management and then create remediation tickets within the IT helpdesk system for other teams.
When doing investigations within security operations, how do you find recording the information from your investigation tasks within the NetWitness incident management ticket?
I've found it a little inflexible and when adding details into the summary field it just doesn't keep the formatting which makes things harder to read when reviewing later on, plus the incident journal is difficult to read contents of it as well. I've started resorting to adding my investigation steps and reports to a text file and then add that to the incident journal.
Thanks,
Jeremy.
Hi Jeremy,
It isn't the easiest right now, that's for sure. I hear there will be some improvements coming in v11. It is difficult but usually we don't have to go back into the journal unless an action is questioned or need to provide more details. So we keep the journal more for our records and use an external reporting source if required to put all the data into a presentable format.
Regards,
Kyle
Hi Jeremy,
We use it quite a bit but maybe in a different way than you are hoping. We use it to alert us to the IoC's we are alerting on for further investigation and the details of that investigation. Should we require action from a team outside of the security operations, we create a remediation ticket within Netwitness Incident Management with the external Ticket Number for reference and then use the Incident/Change management system the rest of IT uses. As with most investigations, some lead to action, some stay within the team, and some are false positives, etc. So we use it to do our internal team investigations, document what we've found and then pivot to our enterprise system to request input or work from other teams.
I've never used it with Jira.
Hopefully that helps and partly answers your question.
Regards,
Kyle