Determine which Incidents Require Action

Once you get the general information about the incident from the Incident List view, you can go to the Incident Details view for more information to determine the action required.

netwitness_12.1_incdtlsvwex3_1122_960x538.png

You can perform the following procedures in the Incident Details view to determine the action required on an incident:

View Incident Details

To view details for an incident, in the Incidents List view, choose an incident to view and then click the link in the ID or NAME column for that incident.

netwitness_12.1_listvwaccessdetvwex3_1122_864x423.png

The Incident Details view for the selected incident appears with the Indicators panel, Nodal Graph, and Journal in view.

netwitness_12.1_incdtlsvwex3_1122_864x484.png

The Incident Details view has the following panels:

  • Overview: The incident Overview panel contains high-level summary information about the incident, such as the score, priority, alerts, and status. You have the option to send the incident to Archer and change the incident Priority, Status, and Assignee.
  • Indicators: The Indicators panel contains a chronological listing of indicators. Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert. This listing helps you to connect indicators and notable data. For example, an IP address connected to a command and communication ESA alert might also have triggered a NetWitness Endpoint alert or other suspicious activities.
  • Related Indicators: The Related Indicators panel enables you to search the NetWitness alerts database to find alerts that are related to this incident. You can also add related alerts that you find to the incident.
  • History: The History panel allows you to view the different actions performed by the user on an incident. Events such as Incident Assignee change, Incident Status change, Incident Priority change, and Incident creation are recorded in this panel.
  • Nodal Graph: The nodal graph is an interactive graph that shows the relationship between the entities involved in the incident. An Entity is represented by an IP address, MAC address, user, host, domain, file name, or file hash.
  • Events List: The Events List, also known as the Events table, lists the events associated with the incident. It also shows event source and destination information along with additional information depending on the event type. You can click the top of an event in the list to view the detailed data for that event.
  • Journal: The Journal panel enables you to access the Journal for the selected incident, which allows you to communicate and collaborate with other analysts. You can post notes to a journal, add Investigation Milestone tags (Reconnaissance, Delivery, Exploitation, Installation, Command and Control, Action on Objective, Containment, Eradication, and Closure), and view the history of activity on your incident.
  • Tasks: The Tasks panel shows all of the tasks that have been created for the incident. You can also create additional tasks from here.

To view more information in the left-side panel without scrolling, you can hover over the right edge and drag the line to resize the panel as shown in the following figure:

netwitness_12.1_incdtlsexpandex2_1122_960x535.png

View Basic Summary Information about the Incident

You can view basic summary information about an incident in the Overview panel.

Above the Overview panel, you can see the following information:

  • Incident ID: This is an automatically created unique ID assigned to the incident.
  • Name: The incident name is derived from the rule used to trigger the incident.
  • Send to Archer / Sent to Archer: (In version 11.2 and later, if Archer is configured as a data source in Context Hub, you can send incidents to Archer Cyber Incident & Breach Response and this option is available in NetWitness Respond.) This shows whether an incident has been sent to Archer Cyber Incident & Breach Response. An incident sent to Archer shows as Sent to Archer. An incident that has not been sent to Archer shows as Send to Archer. You can click the Send to Archer button to send the incident to Archer Cyber Incident & Breach Response.

netwitness_panelstopex3_384x118.png

To view the Overview panel from the Incident Details view, select Overview in the left panel.

netwitness_time_to_resolve_incident_overview.png

To view the Overview panel from the Incidents List view, click a row in the incident list. The Overview panel appears on the right.

netwitness_12.1_listvwopendetex3_1122_960x538.png

The Overview panel contains basic summary information about the selected incident:

  • Created: Shows the creation date and time of the incident.
  • Rule / By: Shows the name of the rule that created the incident or the name of the person who created the incident.
  • Risk Score: Shows a value between 0 and 100 that indicates the risk of the incident as calculated by an algorithm. 100 is the highest risk score.
  • Priority: Shows the incident priority. Priority can be Critical, High, Medium or Low.
  • Status: Shows the incident status. The status can be Reopen, New, Assigned, In Progress, Task Requested, Task Complete, Closed, and Closed - False Positive. After you create a task, the status changes to Task Requested.
  • Assignee: Shows the team member currently assigned to the incident.
  • Sources: Indicates the data sources used to locate the suspicious activity.
  • Categories: Shows the categories of the incident events.
  • Catalysts: Shows the count of indicators that gave rise to the incident.
  • External ID: Allows storing the Incident ID referrals from a different platform such as Archer.
  • Time to Acknowledge: Shows the time taken to assign an Incident after creating it.
  • Time to Detect: Shows the time taken for completing the task after the Incident is assigned.

  • Time to Resolve: Shows the time taken for closing the task after the Incident is created.
  • Persisted Status: Shows the persist status of the Incident. The status can be Complete, Partial, or None (-).

View the Indicators and Enrichments

Note: Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert.

You can find indicators, events, and enrichments on the Indicators panel. The Indicators panel is a chronological listing of indicators that helps you to find enrichments and events related to the triggering indicator. For example, an indicator might be a Command and Control alert, a NetWitness Endpoint alert, a Suspicious Domain (C2) alert, or an alert from an Event Stream Analysis (ESA) rule. The Indicators panel helps you to aggregate and order these indicators (alerts) from different systems so that you can see how they are related and also help you develop a timeline of a given attack.

To view the Indicators panel, in the left panel of the Incident Details view, select Indicators.

netwitness_indctrsplex1red_384x358.png

Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert. This listing helps you to connect indicators and notable data. For example, indicators can show the data found by your rules. In the Indicators panel, the risk score for an indicator is shown within a solid-colored circle.

Data source information is shown below the names of the indicators. You can also see the creation date and time of the indicator and the number of events in the indicator. When data is available, you can see the number of enrichments. You can click the event and enrichment buttons to view the details.

Note: The maximum number of indicators (alerts) displayed in the Indicators panel is 1,000.

View and Study the Events

You can view and study the events associated with the incident from the Events List. It shows information about the events, such as event time, source IP, destination IP, detector IP, source user, destination user, and file information about the events. The amount of information listed depends on the event type.

There are two types of events:

  • A transaction between two machines (a Source and a Destination)
  • An anomaly detected on a single machine (a Detector)

Some events will only have a Detector. For example, NetWitness Endpoint finds malware on your machine. Other events will have a Source and Destination. For example, packet data shows communication between your machine and a Command and Control (C2) domain.

You can drill further into an event to get detailed data about the event.

To view and study the events:

  1. To view the Events List, in the Incident Details view toolbar, click netwitness_ic-events_list.png.
    netwitness_12.1_eventlistred_1122_864x485.png

    Note: The EVENT TIME displayed on this screen is the same as the COLLECTION TIME from the investigation page.

    The Events List shows different information about each event depending on the event type. The maximum number of events displayed in the Events List is 1,000.


    The following table lists typical event information. For details specific to endpoint events, see Events List.

    Field

    Description

    EVENT TIMEShows the time the event occurred.
    EVENT TYPEShows the type of alert, such as Log and Network.

    DETECTOR IP

    Shows the IP address of the machine where an anomaly was detected.

    FILE NAMEShows the file name if a file is involved with the event.

    FILE HASH

    Shows a hash of the file contents.

    SOURCE IPShows the source IP address if there was a transaction between two machines.

    SOURCE PORT

    Shows the source port of the transaction. The source and destination ports can be on the same IP address.

    SOURCE HOSTShows the destination host where the event took place.

    SOURCE MAC

    Shows the MAC address of the source machine.

    SOURCE USERShows the user of the source machine.

    TARGET IP

    Shows the destination IP address if there was a transaction between two machines

    TARGET PORTShows the destination port of the transaction. The source and destination ports can be on the same IP address.

    TARGET HOST

    Shows the host name of the destination machine.

    TARGET MACShows the MAC address of the destination machine.

    TARGET USER

    Shows the user of the destination machine.

  2. Click the top of an event in the Events List to view the event details.
    This example shows the event details for a selected event in the list.
    netwitness_12.1_eventdetails2_1122_864x484.png
  3. To view the events for a specific indicator (alert), go to the Indicators panel on the left and click the indicator to view the events for that indicator in the Events List on the right.
    This example shows one event for a selected indicator.
    netwitness_12.1_eventdetails_1122_864x327.png
  4. To view event details for a specific indicator event, select an event in the Indicators panel. Click the top of the event to view the details.
    The following example shows information for the selected event.
    netwitness_12.1_eventdtlsoneevent_1122_864x328.png

    If you have additional Investigate-server permissions, you can also access event analysis details for events. See View Event Analysis Details for Indicators. If you have the UEBA_Analysts role, you can access UEBA details for indicators. See View User Entity Behavior Analytics for Indicators.

View C2 Enrichment Information for Suspected C&C Incidents

Note: This procedure applies only to incidents from ESA Analytics in NetWitness Version 11.3 and 11.4. The Event Stream Analytics Server (ESA Analytics) service, which is used for Automated Threat Detection, is end of life (EOL) and not supported in NetWitness Platform Version 11.5 and later.

The Events List in version 11.3 and later does not show the Command and Control (C2) enrichment information for HTTP packet alerts in Suspected C&C incidents. However, you can view the C2 enrichment information in the Alert Details view.

  1. Go to Respond > Incidents, look for a Suspected C&C incident, and note the incident ID.
    netwitness_c2enrichment1_672x177.png

  2. Go to Respond > Alerts and in the Filters panel, select the following to locate an alert in the Alerts list with the incident ID noted above:

    1. In the Part of Incident section, select Yes.

    2. In Alert Names section, select http-packet.

    If you are still not able to locate an alert in the Alerts list with the incident ID noted above, try filtering your alerts list more using the time range of the incident.

    netwitness_c2enrichment2_672x439.png

  3. In the Alerts list, click the http-packet link in the NAME field of the alert associated with the incident ID.
    The Event Details view shows the C2 enrichment information.
    netwitness_c2enrichment3_672x425.png

View and Study the Entities Involved in the Events on the Nodal Graph

An Entity is either an IP address, MAC address, user, host, domain, file name, or file hash. The nodal graph is an interactive graph that you can move around to get a better understanding of how the entities involved in the events relate to each other. The nodal graphs look different depending on the type of event, the number of machines involved, whether the machines are associated with users, and if there are files associated with the event.

The following figure shows an example nodal graph with six nodes.

netwitness_nodalgraph_960x695.png

If you look closely at the nodal graph, you can see circles that represent nodes. A nodal graph can contain one or more of the following types of nodes:

  • IP address (If the event is a detected anomaly, you can see a Detector IP. If the event is a transaction, you can see a Destination IP and a Source IP.)
  • MAC address (You may see a MAC address for each type of IP address.)
  • User (If the machine is associated with a user, you can see a user node.)
  • Host
  • Domain
  • Filename (If the event involves files, you can see a filename.)
  • File Hash (If the event involves files, you may see a file hash.)

In NetWitness 11.3 events, nodes for source filename and file hash are supported, but nodes for target filename and file hash are not supported. In NetWitness 11.4 and later events, nodes for both source and target filenames as well as file hashes are supported.

The legend at the bottom of the nodal graph shows the number of nodes of each type and the color coding of the nodes.

You can click and drag any node to reposition it.

The arrows between the nodes provide additional information about the entity relationships:

  • Communicates with: An arrow between a Source machine node (IP address or MAC address) and a Destination machine node labeled with "communicates with" shows the direction of the communication.
  • Has file: An arrow between a machine node (IP address, MAC address, or Host) and a file hash node labeled with "has file" indicates that the IP address has that file.
  • Uses: An arrow between a User node and a machine node (IP address, MAC address, or Host) labeled with "uses" shows the machine that the user was using during the event.
  • Calls: (This arrow is available in NetWitness Platform 11.4 and later.) An arrow between two file hash (checksum) nodes labeled with "calls" indicates the direction of the interaction between the associated files. The source file hash "calls" the target (destination) file hash, which indicates that the source file associated with the source file hash is performing an action on the target file associated with the target file hash.
  • As: (This relationship type represents attributes of the connected node.) An arrow between nodes labeled with "as" provides additional information about the IP address that the arrow points to. In the above example, there is an arrow from the host node circle that points to an IP address node that is labeled with "as". This indicates that the name on the host node circle is the hostname of that IP address and is not a different entity.
  • Is named: (This relationship type represents attributes of the connected node.) An arrow from a File Hash node to a File Name node labeled with "is named" indicates that the file hash corresponds to a file with that name.
  • Belongs to: (This relationship type represents attributes of the connected node.) An arrow between two nodes labeled with "belongs to" indicates that they pertain to the same node. For example, an arrow between a MAC address and a Host labeled with "belongs to" indicates that it is the MAC address for the host.

Larger line size arrows indicate more communication between the nodes. Larger nodes (circles) indicate more activity than smaller nodes. The larger nodes are the most common entities mentioned in the events.

The following nodal graph example has 11 nodes.

netwitness_nodaldiagr2_960x637.png

In this example, notice that there are two IP nodes. They both have hashed files, but they do not communicate with each other. The IP address at the top (192.168.1.1) represents one machine with two hostnames (host.example.com is one of them) in the example.com domain. The MAC address of the machine is 11-11-11-11-11-11-11-11-11 and Alice uses it.

Note: The following example applies to NetWitness Platform 11.4 and later.

In the following nodal graph example, you can see the interaction between source and target (destination) files. There are six nodes in the selected event.

netwitness_filehashcallsexample_960x480.png

In this example, the user communicates with a host that has dtf.eve and cmd.exe files. The dtf.exe file on the host "calls" (in this case, launches) the cmd.exe file, which is suspected to be malicious activity. Notice that the "calls" arrow appears between the source and target file hashes, which are associated with the files.

Nodal Graph Behaviors and Characteristics

Note: These nodal graph behaviors and characteristics are available in NetWitness Platform Version 11.4 and later.

The nodal graph makes it easier for an analyst to get an initial understanding of an incident with minimal effort.

The nodal graph provides the following benefits to an analyst when responding to an incident:

  • The nodal graph helps determine scope, commonalities, and outliers in a given dataset, which can be useful context for an analyst.
  • In many cases, the initial nodal graph layout presents valuable insight without any interaction from the analyst.
  • In cases where the initial layout does not give enough clarity or when an analyst wants to view things differently, a few nodal mouse-drag position adjustments can provide a much faster method of exposing insightful relationships and clusters.

The following behaviors and characteristics are now part of the graph:

  • Entities of similar types tend to cluster together visually.
    netwitness_nodalcluster.png
  • Attributes and actions are better differentiated. Arrows that represent attributes ("as", "is named", "belongs to", and "has file") tend to be shorter than those representing actions ("call" and "communicates with").
    netwitness_nodalstrongforces.png

  • Leaf nodes, which are nodes that only have a single relationship to a single entity, tend to stay closer together.
  • Disjointed graphs, such as clusters of entities and relationships that do not have connections with one another, are forced apart.
    netwitness_nodalseparateclusters.png

Dragged nodes are pinned in place. Double-click a node to unpin it and allow the forces to apply again to the node.

Select Node Types to View on the Nodal Graph

Note: This option is available in NetWitness Platform Version 11.2 and later.

In the Incident Details view nodal graph, you can hide node types to further study the interactions between the entities on the nodal graph.

  1. Go to Respond > Incidents.
  2. In the Incidents List view, choose an incident to view and then click the link in the ID or NAME column for that incident.
    The Incident Details view for the selected incident appears with the Nodal Graph in view. The legend below the nodal graph has all of the entity node types selected by default.
    If you do not see the nodal graph, click netwitness_ic-nodal_graph.png.
    netwitness_12.1_nodaldefault_1122_864x423.png
  3. To hide node types, in the legend, clear the checkbox for the node types that you would like to hide in the nodal graph.

    The following example shows the IP address node type cleared and the IP address nodes are now hidden.
    netwitness_12.1_nodalnoip_1122_864x422.png
  4. To include (unhide) node types, select the checkbox for the node types that you would like to appear in the nodal graph.
    Hiding node types can be especially helpful if the nodal diagram has overlapping entity relationships as shown in the following figure.netwitness_nodaldefault2_864x771.png

    After hiding the IP node types, you can get a better understanding of what is happening with the remaining nodes.
    netwitness_nodalnoip2_864x732.png

Filter the Data in the Incident Details View

You can click indicators in the Indicators panel to filter what you can see in the Nodal Graph and the Events List.

If you select an indicator to filter the nodal graph, data that is not part of your selection is dimmed, but it is still in view as shown in the following figure.

netwitness_12.1_incnodal_filtered_1122_960x566.png

If you select an indicator to filter the Events List, only the events for that indicator are shown in the list. The following figure shows an indicator selected that contains ninety-eight events. The filtered Events List shows those ninety-eight events.

netwitness_12.1_eventdetailsindsel_1122_960x568.png

View the Tasks Associated with an Incident

Threat responders and other analysts can create tasks for an incident and track those tasks to completion. This can be very helpful, for example, when you require actions on incidents from teams outside of your security operations. You can view the tasks associated with an incident in the Incident Details view.

  1. Go to Respond > Incidents and locate the incident that you want to view in the Incidents List.
  2. Click the link in the ID or NAME field of the incident.
  3. In the Journal on the right side of the Incident Details view, click the TASKS tab.
    If you cannot see the Journal, click Journal & Tasks and then click the TASKS tab.
    The Tasks panel shows all of the tasks for the incident.
    netwitness_taskspanel_288x523.png

For more information about tasks, see Tasks List View, View All Incident Tasks, and Create a Task.

View Incident Notes

The incident Journal enables you to view the history of activity on your incident. You can view journal entries from other analysts and also communicate and collaborate with them.

  1. Go to Respond > Incidents and locate the incident that you want to view in the Incidents List.
  2. Click the link in the ID or NAME field of the incident.
    The Journal on the right side of the Incident Details view shows all of the journal entries for the incident.
    If you cannot see the Journal, in the toolbar, click Journal & Tasks.
    netwitness_journalpanel_288x524.png

Find Related Indicators

Related Indicators are alerts that were not originally part of the selected incident, but they are related in some way to the incident. The relationship may or may not be obvious. For example, related indicators can involve one or more entities from the incident, but they can also be related due to some intelligence outside of NetWitness.

In the Incident Details view Related Indicators panel, you can search for an entity (such as IP, MAC, Host, Domain, User, Filename, or Hash) in other alerts outside of the current incident.

  1. Go to Respond > Incidents and locate the incident that you want to view in the Incidents List.
  2. Click the link in the ID or NAME field of the incident.
  3. In the left panel of the Incident Details view, click the FIND RELATED tab.
    The Related Indicators panel is displayed.
    netwitness_findalerts1_288x487.png
  4. In the Find field, select the entity type to search, such as IP.

  5. In the Value field, type a value for the entity, such as a specific IP address.

  6. In the When field, select the time period to search, such as the Last 24 Hours.

  7. Click Find.
    A list of related indicators (alerts) appear below the Find button in the Indicators for section. If an alert is not part of another incident, you can click the Add to Incident button to add the related indicator (alert) to the current incident. See Add Related Indicators to the Incident below.

Add Related Indicators to the Incident

You can add related indicators (alerts) to the current incident from Related Indicators panel. An indicator that is already part of an incident cannot be part of another incident. In the search results, if an alert is not already part of an incident, it has an Add to Incident button.

  1. In the Related Indicators panel, do a search to find related indicators. See Find Related Indicators above.
    netwitness_findalerts1_288x487.png
  2. Review the alerts in the search results. The Indicators for section (below the Find button) lists the related indicators (alerts).
  3. To inspect the details of an alert before adding it as a related indicator to the incident, you can click the Open in New Window link to view the alert details for that indicator.
  4. For each alert that you want to add to the current incident as a related indicator, click the Add to Incident button.
    The button in the Related Indicators panel now shows Part of This Incident.
    netwitness_findrelated1_288x483.png
    The selected related indicator adds to the Indicators panel. The Indicators tab now shows the additional indicator.netwitness_12.1_findrelated2_1122_960x512.png