This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Is anyone really using NetWitness Incident Management?

Anonymous
Not applicable

‎2016-12-20 06:09 PM

I'm curious to see if anyone is really using the Incident Management module within NetWitness. I personally find it a little lacking in most posts but we want to start to use it to better manage incidents.

We don't use Archer but I wondered if it could be used in conjuntion with something like Jira.

Thanks.

Labels:
0 Likes
3 REPLIES 3

KyleHowson
Beginner
Beginner

‎2016-12-21 12:07 AM

Hi Jeremy,

 

We use it quite a bit but maybe in a different way than you are hoping. We use it to alert us to the IoC's we are alerting on for further investigation and the details of that investigation. Should we require action from a team outside of the security operations, we create a remediation ticket within Netwitness Incident Management with the external Ticket Number for reference and then use the Incident/Change management system the rest of IT uses. As with most investigations, some lead to action, some stay within the team, and some are false positives, etc. So we use it to do our internal team investigations, document what we've found and then pivot to our enterprise system to request input or work from other teams.

 

I've never used it with Jira.

 

Hopefully that helps and partly answers your question.

 

Regards,

 

Kyle

Anonymous
Not applicable
In response to KyleHowson

‎2016-12-21 04:50 PM

Hi Kyle,

 

Thanks for your reply. Actually it sounds like you use incident management the way we are wanting to use it. We capture IOCs within incident management and then create remediation tickets within the IT helpdesk system for other teams.

 

When doing investigations within security operations, how do you find recording the information from your investigation tasks within the NetWitness incident management ticket?

 

I've found it a little inflexible and when adding details into the summary field it just doesn't keep the formatting which makes things harder to read when reviewing later on, plus the incident journal is difficult to read contents of it as well. I've started resorting to adding my investigation steps and reports to a text file and then add that to the incident journal.

 

Thanks,

Jeremy.

0 Likes

KyleHowson
Beginner
Beginner
In response to Anonymous

‎2017-01-04 06:08 PM

Hi Jeremy, 

 

It isn't the easiest right now, that's for sure. I hear there will be some improvements coming in v11. It is difficult but usually we don't have to go back into the journal unless an action is questioned or need to provide more details. So we keep the journal more for our records and use an external reporting source if required to put all the data into a presentable format. 

 

Regards,

 

Kyle

© 2022 RSA Security LLC or its affiliates. All rights reserved.