Alerts List View

The Alerts List view (Respond > Alerts) enables you to view all of the threat alerts and indicators received by NetWitness in one location. This can include alerts received from ESA Correlation Rules, Malware Analysis, Reporting Engine, NetWitness Endpoint, as well as many others. In the Alerts List view you can browse through various alerts, filter them, and group them to create incidents.

Workflow

This workflow shows the high-level process that Analysts use to review alerts and create incidents.

netwitness_altlist_ui_wf_11.1_576x202.png

In the Alerts List view, you can review a list of alerts from all sources received by NetWitness. After that, you can investigate those alerts further and create incidents from the alerts or you can create incident rules to create incidents.

Note: You can use NetWitness Automated Threat Detection to create incidents without manually creating rules.

What do you want to do?

Role I want to ... Show me how
Incident Responders,
Analysts
View all alerts in NetWitness.* View Alerts
Incident Responders,
Analysts
Filter alerts.* Filter the Alerts List

Incident Responders,
Analysts

View alert overview information and raw alert metadata.*

View Alert Summary Information

Incident Responders,
Analysts
Create incidents from alerts.* Create an Incident Manually

Incident Responders,
Analysts

(Available in NetWitness Version 11.1 and later) Add alerts to an existing incident.*

Add Alerts to an Incident

Administrators,
Data Privacy Officers

Delete alerts.*

Delete Alerts

SOC Managers,
Administrators
Create incident rules.

See "Create an Incident Rule for Alerts" in the NetWitness Respond Configuration Guide.

Incident Responders, Analysts Investigate the events in an alert.

View Event Details for an Alert and Investigate Events

Incident Responders,
Analysts

Add related alerts to an existing incident.

Add Related Indicators to the Incident

*You can complete these tasks here (that is, in the Alerts List view).

Related Topics

Quick Look

To access the Alerts List view, go to Respond > Alerts. The Alerts List view displays a list of all alerts and indicators received by the Respond Server database in NetWitness. The following figure shows the Filters panel on the left.

netwitness_12.1_alertsvw_1122.png

The Alerts List view consists of a Filters panel, an Alerts List, and an Alert Overview panel. You can click an alert in the Alerts list to view the Alert Overview panel on the right.

netwitness_12.1_alertsvwwithoverpl4_1122.png

Alerts List

The Alerts List shows all of the alerts in NetWitness. You can filter this list to only show alerts of interest.

netwitness_12.1_alertslistonly_1122.png

The following Alerts List view is filtered for Risk Scoring Alerts.
11.5_RiskScoringAlerts.png

The following table describes the columns in the Alerts List.

Column

Description

netwitness_ic-checkbox2_30x30.png Enables you to select one or more alerts to delete. Users with the appropriate permissions, such as Administrators and Data Privacy Officers, can delete alerts.
Created Displays the date and time when the alert was recorded in the source system.
Severity Displays the level of severity of the alert. The values are from 1 through 100.
Name Displays a basic description of the alert.
Source Displays the original source of the alert. The source of the alerts can be NetWitness Endpoint, Malware Analysis, ESA correlation rules, Reporting Engine, Risk Scoring, and many others.

Note: In NetWitness Platform 11.3 and later, the Endpoint source includes Endpoint alerts from all NetWitness Endpoint versions. If one of the events in an alert has a device_type of nwendpoint, the source changes to Endpoint.

# Events Indicates the number of events contained within an alert. This varies depending on the source of the alert. For example, NetWitness Endpoint and Malware Analysis alerts always have one Event. For certain types of alerts, a high number of events may mean that the alert is more risky.
Host Summary Displays details of the host like the host name from where the alert was triggered. The details may include information about the source and destination hosts in an Alert. Some alerts may describe events across more than one host .
Incident ID Shows the Incident ID of the alert. If there is no incident ID, the alert does not belong to any incident and you can create an incident to include this alert or the alert can be added to an existing incident.
MITRE ATT&CK Tactics Shows the particular Tactic associated with each alert.

At the bottom of the list, you can see the number of alerts on the current page, the total number of alerts, and the number of alerts selected. For example: Showing 4 out of 4 items | 1 selected

Alert Filters Panel

The following figure shows the filters available in the Filters panel.

netwitness_alertsfilterpnl2_240x545.png

The Filters panel, on the left of the Alerts List view, has options that you can use to filter the alerts list. When you navigate away from the Filters panel, the Alerts List view retains your filter selections.

Option Description
Saved Filters You can select a saved filter to filter the alerts list. Saved filters are global. You can save a filter for other analysts to use and you can use any saved filter. Saved filters are also available for use on the Springboard landing page. Filters used in the Springboard cannot be deleted. (This option is available in NetWitness Platform 11.5 and later.)
Time Range You can select a specific time period from the Time Range drop-down list. The time range is based on the received date of the alerts. For example, if you select Last Hour, you can see alerts that were received within the last 60 minutes.
Custom Date Range You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of Custom Date Range to view the Start Date and End Date fields. Select the dates and times from the calendar.
netwitness_custdaterange_240x300.png
Type Indicates the type of events in the alert, for example, logs, network sessions, and so on.
Source Displays the original source of the alert. The source of the alerts can be NetWitness Endpoint, Malware Analysis, Event Stream Analysis (ESA Correlation Rules), Reporting Engine, Web Threat Detection, Risk Scoring, and many others.

Note: In NetWitness Platform 11.3 and later, the Endpoint source includes Endpoint alerts from all NetWitness Endpoint versions. If one of the events in an alert has a device_type of nwendpoint, the source changes to Endpoint.

Severity Displays the level of severity of the alert. The values are from 1 through 100.
Part of Incident Categorizes alerts on whether or not they are associated with an incident. Select Yes to view alerts that are part of an incident. Select No to view alerts that are not part of an incident. For example, before you create incidents from alerts, you may want to select No to view only those alerts that are not already part of an incident.
Alert Names Shows the names of the alerts being filtered. You can use this filter to search for all alerts generated by a specific rule, for example, Direct Login to an Administrative Account.
MITRE ATT&CK Tactics Allows you to select the tactic associated with the alert.
MITRE ATT&CK Techniques Allows you to select the technique associated with the alert.
Reset Removes your filter selections. If you reset filters on a saved filter, it takes you to the default empty filter.
Save Saves the currently applied alerts filter or updates a saved filter. For a new filter, choose a unique name that contains 1-256 alphanumeric characters, underscores, or hyphens. (This option is available in NetWitness Platform 11.5 and later.)
Save As Saves the currently applied alerts filter for future use. Choose a unique name that contains 1-256 alphanumeric characters, underscores, or hyphens. (This option is available in NetWitness Platform 11.5 and later.)

The Alerts List shows a list of alerts that meet your selection criteria. You can see the number of items in your filtered list at the bottom of the alerts list. For example: Showing 4 out of 4 items

Alert Overview Panel

The Overview panel shows basic summary information about a selected alert and raw alert metadata. The Overview panel in the Alert Details view contains the same information, but in the Alerts Details view, you can expand the panel to view more information.

netwitness_alertsovrplmeta_240x500.png

The following table lists the fields displayed in the Alert Overview panel.

Field

Description

<Alert Name> Displays the name of the alert.
Incident ID Displays the Incident ID associated with the alert. You can click the incident ID link to go to the Incident Details view of the associated incident. If there is no incident ID, the alert does not belong to an incident. You can create an incident for this alert or you can add it to an incident.
Created Displays the date and time when the alert was created.
Severity Displays the level of severity of the alert. The values are from 1 through 100.
Source

Displays the original source of the alert. The source of the alerts can be NetWitness Endpoint, Malware Analysis, ESA correlation rules, Reporting Engine, Risk Scoring, and many others.

Note: In NetWitness Platform 11.3 and later, the Endpoint source includes Endpoint alerts from all NetWitness Endpoint versions. If one of the events in an alert has a device_type of nwendpoint, the source changes to Endpoint.

Type

Indicates the type of events in the alert, for example, logs, network sessions, and so on. There can be multiple types listed.

Note: In NetWitness Platform 11.3 and later, the Endpoint source includes Endpoint alerts from all NetWitness Endpoint versions. If one of the events in an alert has a device_type of nwendpoint, the source changes to Endpoint.

# Events Indicates the number of events contained within an alert. This varies depending on the source of the alert. For example, NetWitness Endpoint and Malware Analysis alerts always have one Event. For certain types of alerts, a high number of events may mean that the alert is more risky.
MITRE ATT&CK Tactics Displays the tactic associated with the alert.
MITRE ATT&CK Techniques Displays the technique associated with the alert.
Raw Alert Shows the raw alert metadata.

Toolbar Actions

This table lists the toolbar actions available in the Alerts List view.

Option Description
netwitness_ic-filterclosed2.png Enables you to open the Filters panel so that you can specify the alerts that you would like to see in the Alerts List.

netwitness_ic-x-close2.png

Closes the panel.
Create Incident button Enables you to create incidents from alerts. The alerts cannot be part of an incident. To get a list of alerts without incidents, you can filter the Alerts List. In thePart of Incident section, select No.
Add to Incident button (This option is available in NetWitness Version 11.1 and later.)
Enables you to add selected alerts to an incident. The alerts cannot be part of an incident. To get a list of alerts without incidents, you can filter the Alerts List. In the Part of Incident section, select No.
Delete button Allows you to delete alerts.