Alerts List View
The Alerts List view (Respond > Alerts) enables you to view all of the threat alerts and indicators received by NetWitness in one location. This can include alerts received from ESA Correlation Rules, Malware Analysis, Reporting Engine, NetWitness Endpoint, as well as many others. In the Alerts List view you can browse through various alerts, filter them, and group them to create incidents.
Workflow
This workflow shows the high-level process that Analysts use to review alerts and create incidents.
In the Alerts List view, you can review a list of alerts from all sources received by NetWitness. After that, you can investigate those alerts further and create incidents from the alerts or you can create incident rules to create incidents.
Note: You can use NetWitness Automated Threat Detection to create incidents without manually creating rules.
What do you want to do?
Role | I want to ... | Show me how |
---|---|---|
Incident Responders, Analysts |
View all alerts in NetWitness.* | View Alerts |
Incident Responders, Analysts |
Filter alerts.* | Filter the Alerts List |
Incident Responders, |
View alert overview information and raw alert metadata.* |
|
Incident Responders, Analysts |
Create incidents from alerts.* | Create an Incident Manually |
Incident Responders, |
(Available in NetWitness Version 11.1 and later) Add alerts to an existing incident.* |
|
Administrators, |
Delete alerts.* | |
SOC Managers, Administrators |
Create incident rules. |
See "Create an Incident Rule for Alerts" in the NetWitness Respond Configuration Guide. |
Incident Responders, Analysts | Investigate the events in an alert. | |
Incident Responders, |
Add related alerts to an existing incident. |
*You can complete these tasks here (that is, in the Alerts List view).
Related Topics
Quick Look
To access the Alerts List view, go to Respond > Alerts. The Alerts List view displays a list of all alerts and indicators received by the Respond Server database in NetWitness. The following figure shows the Filters panel on the left.
The Alerts List view consists of a Filters panel, an Alerts List, and an Alert Overview panel. You can click an alert in the Alerts list to view the Alert Overview panel on the right.
Alerts List
The Alerts List shows all of the alerts in NetWitness. You can filter this list to only show alerts of interest.
The following Alerts List view is filtered for Risk Scoring Alerts.
The following table describes the columns in the Alerts List.
Column |
Description |
---|---|
Enables you to select one or more alerts to delete. Users with the appropriate permissions, such as Administrators and Data Privacy Officers, can delete alerts. | |
Created | Displays the date and time when the alert was recorded in the source system. |
Severity | Displays the level of severity of the alert. The values are from 1 through 100. |
Name | Displays a basic description of the alert. |
Source | Displays the original source of the alert. The source of the alerts can be NetWitness Endpoint, Malware Analysis, ESA correlation rules, Reporting Engine, Risk Scoring, and many others.
Note: In NetWitness Platform, the Endpoint source includes Endpoint alerts from all NetWitness Endpoint versions. If one of the events in an alert has a device_type of nwendpoint, the source changes to Endpoint. |
# Events | Indicates the number of events contained within an alert. This varies depending on the source of the alert. For example, NetWitness Endpoint and Malware Analysis alerts always have one Event. For certain types of alerts, a high number of events may mean that the alert is more risky. |
Host Summary | Displays details of the host like the host name from where the alert was triggered. The details may include information about the source and destination hosts in an Alert. Some alerts may describe events across more than one host . |
Incident ID | Shows the Incident ID of the alert. If there is no incident ID, the alert does not belong to any incident and you can create an incident to include this alert or the alert can be added to an existing incident. |
MITRE ATT&CK Tactics | Shows the particular Tactic associated with each alert. |
At the bottom of the list, you can see the number of alerts on the current page, the total number of alerts, and the number of alerts selected. For example: Showing 4 out of 4 items | 1 selected
Alert Filters Panel
The following figure shows the filters available in the Filters panel.
The Filters panel, on the left of the Alerts List view, has options that you can use to filter the alerts list. When you navigate away from the Filters panel, the Alerts List view retains your filter selections.
Option | Description |
---|---|
Saved Filters | You can select a saved filter to filter the alerts list. Saved filters are global. You can save a filter for other analysts to use and you can use any saved filter. Saved filters are also available for use on the Springboard landing page. Filters used in the Springboard cannot be deleted. |
Time Range | You can select a specific time period from the Time Range drop-down list. The time range is based on the received date of the alerts. For example, if you select Last Hour, you can see alerts that were received within the last 60 minutes. |
Custom Date Range | You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of Custom Date Range to view the Start Date and End Date fields. Select the dates and times from the calendar. |
Type | Indicates the type of events in the alert, for example, logs, network sessions, and so on. |
Source | Displays the original source of the alert. The source of the alerts can be NetWitness Endpoint, Malware Analysis, Event Stream Analysis (ESA Correlation Rules), Reporting Engine, Web Threat Detection, Risk Scoring, and many others.
Note: In NetWitness Platform, the Endpoint source includes Endpoint alerts from all NetWitness Endpoint versions. If one of the events in an alert has a device_type of nwendpoint, the source changes to Endpoint. |
Severity | Displays the level of severity of the alert. The values are from 1 through 100. |
Part of Incident | Categorizes alerts on whether or not they are associated with an incident. Select Yes to view alerts that are part of an incident. Select No to view alerts that are not part of an incident. For example, before you create incidents from alerts, you may want to select No to view only those alerts that are not already part of an incident. |
Alert Names | Shows the names of the alerts being filtered. You can use this filter to search for all alerts generated by a specific rule, for example, Direct Login to an Administrative Account. |
MITRE ATT&CK Tactics | Allows you to select the tactic associated with the alert. |
MITRE ATT&CK Techniques | Allows you to select the technique associated with the alert. |
Reset | Removes your filter selections. If you reset filters on a saved filter, it takes you to the default empty filter. |
Save | Saves the currently applied alerts filter or updates a saved filter. For a new filter, choose a unique name that contains 1-256 alphanumeric characters, underscores, or hyphens. (This option is available in NetWitness Platform 11.5 and later.) |
Save As | Saves the currently applied alerts filter for future use. Choose a unique name that contains 1-256 alphanumeric characters, underscores, or hyphens. (This option is available in NetWitness Platform 11.5 and later.) |
The Alerts List shows a list of alerts that meet your selection criteria. You can see the number of items in your filtered list at the bottom of the alerts list. For example: Showing 4 out of 4 items
Alert Overview PanelAlert Overview Panel
The Overview panel shows basic summary information about a selected alert and raw alert metadata. The Overview panel in the Alert Details view contains the same information, but in the Alerts Details view, you can expand the panel to view more information.
The following table lists the fields displayed in the Alert Overview panel.
Field |
Description |
---|---|
<Alert Name> | Displays the name of the alert. |
Incident ID | Displays the Incident ID associated with the alert. You can click the incident ID link to go to the Incident Details view of the associated incident. If there is no incident ID, the alert does not belong to an incident. You can create an incident for this alert or you can add it to an incident. |
Created | Displays the date and time when the alert was created. |
Severity | Displays the level of severity of the alert. The values are from 1 through 100. |
Source |
Displays the original source of the alert. The source of the alerts can be NetWitness Endpoint, Malware Analysis, ESA correlation rules, Reporting Engine, Risk Scoring, and many others. Note: In NetWitness Platform, the Endpoint source includes Endpoint alerts from all NetWitness Endpoint versions. If one of the events in an alert has a device_type of nwendpoint, the source changes to Endpoint. |
Type |
Indicates the type of events in the alert, for example, logs, network sessions, and so on. There can be multiple types listed. Note: In NetWitness Platform, the Endpoint source includes Endpoint alerts from all NetWitness Endpoint versions. If one of the events in an alert has a device_type of nwendpoint, the source changes to Endpoint. |
# Events | Indicates the number of events contained within an alert. This varies depending on the source of the alert. For example, NetWitness Endpoint and Malware Analysis alerts always have one Event. For certain types of alerts, a high number of events may mean that the alert is more risky. |
MITRE ATT&CK Tactics | Displays the tactic associated with the alert. |
MITRE ATT&CK Techniques | Displays the technique associated with the alert. |
Raw Alert | Shows the raw alert metadata. |
Toolbar Actions
This table lists the toolbar actions available in the Alerts List view.
Option | Description |
---|---|
Enables you to open the Filters panel so that you can specify the alerts that you would like to see in the Alerts List. | |
|
Closes the panel. |
Create Incident button | Enables you to create incidents from alerts. The alerts cannot be part of an incident. To get a list of alerts without incidents, you can filter the Alerts List. In thePart of Incident section, select No. |
Add to Incident button | Enables you to add selected alerts to an incident. The alerts cannot be part of an incident. To get a list of alerts without incidents, you can filter the Alerts List. In the Part of Incident section, select No. |
Delete button | Allows you to delete alerts. |