Alert Details ViewAlert Details View

In the Alert Details view (Respond > Alerts > click on a row in the Alerts List), you can view the overview of an alert, such as the source of the alert, the number of events within the alert, Incident ID, if it is part of an incident. You can also view the raw alert that contains detailed information about the events.

WorkflowWorkflow

This workflow shows the high-level process that Analysts use to review alerts and create incidents.

After reviewing the alerts list, you can investigate those alerts further and create incidents from the alerts, in the Alert Details view. In the Configure > Incident Rules view, you can create incident rules to create incidents.

Note: You can also use NetWitness Automated Threat Detection to create incidents without manually creating rules.

What do you want to do?What do you want to do?

Role	I want to ...	Show me how
Incident Responders, Analysts	View all alerts in NetWitness.	View Alerts
SOC Managers, Administrators	Create incident rules.	See "Create an Incident Rule for Alerts" in the NetWitness Respond Configuration Guide.
Incident Responders, Analysts	View a list of events in the alert.*	View Event Details for an Alert
Incident Responders, Analysts	View event metadata for each event in the alert.*	View Event Details for an Alert
Incident Responders, Analysts	Further investigate the events in the alert.*	Investigate Events
Incident Responders, Analysts	Add alerts to an existing incident.	Add Alerts to an Incident Add Related Indicators to the Incident
Incident Responders, Analysts	Create incidents from alerts.	Create an Incident Manually
Data Privacy Officers, Administrators	Delete alerts.	Delete Alerts

*You can complete these tasks here (that is, in the Alerts Details view).

Related TopicsRelated Topics

• Alerts List View
• Reviewing Alerts

Quick LookQuick Look

1. To access the Alert Details view, go to Respond > Alerts.

2. In the Alerts list, choose an alert to view and then click the link in the Name column for that alert.
   The Alert Details view has an Overview panel on the right. You can resize the panels to show more information as shown in the following figure.

Overview PanelOverview Panel

The Overview panel shows basic summary information about a selected alert. The Overview panel on the Alerts List view contains the same information. The Alerts List view Alert Overview Panel topic provides details.

Events - Process Tree ViewEvents - Process Tree View

Click on an event name link to view the event details. The Process Tree Viewer opens and displays the process that caused the alerts and the processes it originated from.

-The process that caused the alert is highlighted with a red-colored outline.

& - The processes from which the highlighted process originated.

- Summary of the alert.

- Event Details section shows the tactics, techniques, and event time stamp.

- Process Details section provides detailed insights about the selected process.

- Shows the details of Network Connections established by the process; You can view the network connections that took place up to ten minutes before and after the alert triggered time. Network connections details are available only for the process that caused the alert.

- Shows the name and a link to the host where the process exists.

Events ListEvents List

The Events List for a selected alert shows all of the events contained in that alert.

Event Details Event Details

The Event Details in the Events panel shows the event metadata for each event in the alert.

Event DetailsEvent Details

The following table lists some event details section and subsections shown in the Event Details. This is not an extensive list.

Section	Subsection	Description
Summary		Shows a summary of the event.
Event		Shows the destination device and user.
	Device	Shows information about the destination device. See Event Source or Destination Device Attributes below.
	User	Shows information about the user or users of the destinationSee Event Source or Destination User Attributes below.
Detector		Shows the host or software product that detected the issue. This is most relevant for malware scanners and logs.
	Device Class	Shows the device class of the product that detected the alert.
	IP Address	Shows the IP address of the product that detected the alert.
	Product Name	Shows the name of the product that detected the alert.
Domain		Shows the domain associated with the event.
Enrichment		Shows available enrichment information.
Related Links		If available, it shows a link back to the user interface (UI) of the source product.
	Type	Shows the type of event, such as investigate_original_event.
	URL	Shows the URL link back to the UI of the source product.
Size		Shows the size of the transmission or file involved.
Source		Shows the source device and user.
	Device	Shows information about the source machine. See Event Source or Destination Device Attributes below.
	User	Shows information about the user or users of the source machine. See Event Source or Destination User Attributes below.
Timestamp		Shows the time that the event occurred.
Type		Shows the type of the alert, such as log, network, correlation, Resubmit, Manual Upload, On Demand, File Share, or Instant IOC.

Event Source or Destination Device AttributesEvent Source or Destination Device Attributes

The following table lists attributes for an event source or destination device that can be shown in the Events Details.

Name	Description
Asset Type	Displays the type of device, for example, desktop, laptop, server, network equipment, tablet, and so on.
BusinessUnit	Shows the business unit associated with the device.
Compliance Rating	Shows the compliance rating of the device. It can be Low, Medium, or High.
Criticality	Shows how critical the device is to the business (business criticality).
Facility	Shows the location of the device.
Geolocation	Shows the geographic location for the host. It can contain the following attibutes: city, country, latitude, longitude, organization, and domain.
IP Address	Shows the IP address of the device.
MAC Address	Shows the MAC address of the device.
Netbios Name	Shows the NetBIOS name for the device.
Port	Displays the TCP port, UDP port, or the IP Src port (the first one available) used to connect to and from the host.

Event Source or Destination User AttributesEvent Source or Destination User Attributes

The following table lists attributes for an an event source or destination user that can be shown in the Events Details.

Attribute Name	Description
AD Domain	Shows the Active Directory domain.
AD Username	Shows the Active Directory username.
Email Address	Shows the email address of the user.
Username	Shows a general name if you do not know the source of the username, such as UNIX or a username in a particular system.

Toolbar ActionsToolbar Actions

This table lists the toolbar actions available in the Alert Details view.

Option	Description
	(Back to Alerts) Enables you to navigate back to the Alerts List view.
	Click the arrows to navigate through the event meta details for each event in the alert. The numbers, such as "1 of 2" show the number of the event that you are currently viewing. Click Back to Table to go back to the Events List view, which is also known as the Events Table.