Escalate or Remediate the Incident

You may want to escalate an incident, assign incidents to another Analyst, or change the status and priority of an incident as you gather more information about it. This is useful if, for example, you upgrade the priority of an incident from high to critical after determining that the incident is a major breach. You may also want to send the incident to Archer Cyber Incident & Breach Response for additional analysis and action.

You can perform the following procedures to escalate or remediate an incident:

 

Send an Incident to Archer

Note: This option is available in NetWitness Version 11.2 and later. If Archer is configured as a data source in Context Hub, you can send incidents to Archer and you can see the Send to Archer option and Sent to Archer Status in NetWitness Respond.

When you send an incident to Archer, a Sent to Archer notification appears within the incident. When configured, the NetWitness Platform can start additional business processes in Archer Cyber Incident & Breach Response. You can view all of the incidents that were sent to Archer Cyber Incident & Breach Response using the filter in the Incident Lists view.

You send an incident to Archer by clicking the Send to Archer button in the Overview panel in the Incident Lists view or the Incident Details view.

Caution: The Send to Archer action is not reversible.

  1. Go to Respond > Incidents.
  2. From the Incidents List view, click the incident that you want to send to Archer Cyber Incident & Breach Response.
    The Overview panel appears on the right.
    netwitness_incsendtoarch1_768x458.png
  3. In the Overview panel, click Send to Archer.

  4. Read the Confirm Send to Archer dialog and then click Yes to confirm sending the incident to Archer Cyber Incident & Breach Response. This action is not reversible.
    netwitness_incsendtoarch2_288x74.png
    You will receive a confirmation that the incident was sent to Archer along with an Archer incident ID. In the Overview panel, the Send to Archer button changes to Sent to Archer.
    netwitness_incsendtoarch3_768x458.png
    In the Incident Details view (click the link in the ID or NAME field of the incident sent to Archer) you can see the Sent to Archer notification above the Overview and Indicators panels. If you open the Journal, you can see a system journal entry that shows that the incident was sent to Archer and it now has an Archer ID number.
    netwitness_incsendtoarch4_768x459.png

View All Incidents Sent to Archer

Note: This option is available in NetWitness Version 11.2 and later. If Archer is configured as a data source in Context Hub, you can send incidents to Archer and you will be able to see the Sent to Archer option and Sent to Archer Status in NetWitness Respond.

You can view incidents sent to Archer Cyber Incident & Breach Response using the Filter.

  1. Go to Respond > Incidents. The Incidents List is displayed.
  2. If you cannot see the Filters panel, in the Incident List view toolbar, click netwitness_ic-filterclosed2_20x20.png.
  3. In the Filters panel, under Sent To Archer, select Yes.
    The incidents list will be filtered to show incidents that were sent to Archer Cyber Incident & Breach Response.
    netwitness_12.1_incsendtoarchfilter_1122_768x444.png

Update an Incident

You can update an incident from several places. You can change the priority, status, or assignee from the Incident List view and the Incident Details view. For example, if you are an Analyst, you may want to assign yourself a case from the Incident List view if you see that it is related to another case you are working on. If you are an SOC Manager or an Administrator, you may want to view unassigned incidents from the Incident List view and assign the incidents as they come in. SOC Managers and Administrators can do bulk updates of the priority, status, or assignee instead of updating them one incident at a time.

From the Details view, you might want to change the status to In Progress once you begin working on an incident, and then update it to Closed or Closed - False Positive after you resolve the issue. Or you might change the priority of the incident to Medium or High as you determine the details of the case.

Change Incident Status

When an incident first appears in the incident list, it has an initial status of New. You can update the status as you complete your work on the incident. The following statuses are available:

  • Reopen
  • In Progress
  • Task Requested
  • Task Complete
  • Closed
  • Closed - False Positive

    Note: New and Assigned statuses under the Change Status drop-down list are removed in the version 12.0 and later.

Status Change WorkflowStatus Change Workflow

The table below lists all the statuses and provides information about specific Status Change Workflow.

Status New Reopen Assigned In Progress Task Requested Task Complete Closed / Closed - False Positive
New No No Yes Yes No No Yes
Reopen No No Yes Yes No No Yes
Assigned No No No Yes No No Yes
In Progress No No No No Yes Yes Yes
Task Requested No No No Yes No Yes Yes
Task Complete No No No Yes Yes No Yes
Closed / Closed - False Positive No Yes No No No No No

Note: When you select an incident and click Change Status, all the invalid statuses are grayed out under the Change Status drop-down list. This is not applicable for multi-select of incidents. Refer the following figure.

netwitness_invalid_statuses_respond_ui.png

To update the status of multiple incidents:

  1. In the Incidents List view, select one or more incidents that you would like to change. To select all of the incidents on the page, select the box in the incidents list header row. The number of incidents selected appears in the incidents list footer.
  2. Click Change Status and select a status from the drop-down list. In this example, the current status is Assigned, but the Assignee would like to change it to In Progress for the selected incidents.

    netwitness_multi_incidents_change_status_assigned_in_progress.png

    Note: The incident status can be changed to Reopen only if the current status of the incident is Closed or Closed - False Positive. This is also applicable when multiple incidents are selected. Even if one of the multiple incidents selected has the status other than Closed or Closed - False Positive, the error message One or more incidents status cannot be changed, Please select a valid status!. For example, INC-x is displayed. Refer the following figure.

    netwitness_12.1_reopen_multiple_incidents_status_error_message_1122.png

  3. If you select more than one incident, in the Confirm Update dialog, click OK.
    netwitness_updbulkstatconfirm.png
    You can see a successful change notification. In this example, the status of the updated incidents now show In Progress.
    netwitness_multi_incidents_change_status_success_768x147.png

    Note: If you select any incident and click Change Status, the current status of the incident is grayed out in the drop-down list. This is not applicable if you select multiple incidents. Refer the following figure.

netwitness_12.1_current_status_gray_out_respond_ui_1122.png

To change the status of a single incident from the Overview panel:

  1. To open the Overview panel, do one of the following:
    • From the Incidents List view, click the row of an incident that needs a status update.

      netwitness_change_status_single_incident_invalid_status_gray_out.png

    • From the Incident Details view, click the OVERVIEW tab.
      netwitness_12.1_upddetovrpnlred_1122_768x391.png
      In the Overview panel, the Status button shows the current status of the incident.
  2. Click the Status button and select a status from the drop-down list.

    netwitness_current_status_invalid_status_gray_out_overview_panel.png
    You can see a successful change notification.
    netwitness_updsuccess_384x50.png

    Note: The incident status can be changed to Reopen only if the current status of the incident is Closed or Closed - False Positive.

Change Events Retention

Events retention enables you to persist events that are associated with particular incidents, thereby enabling you to view the incident related events in the future, regardless of its age. The event data will always be available for viewing and reconstruction as long as the event is persisted, enabling you to easily refer back to details, even if the original event has rolled over from the NetWitness database. You can perform the following functions:

  • Persist all events
  • Suspend persisting all events

To change event retention:

  1. Select the incidents for which you want to change the event retention plan.
  2. Select Persist all events from the Change Events Retention tab to persist all the events that are associated with the selected incidents.
    1. The confirmation message appears. Click OK to persist all events.
      Persisting all events in an incident in NetWitness will save the events data in the long term cache of the source.
  3. Select Suspend Persisting all events from the Change Events Retention tab to stop persisting the events that are associated with the selected incidents.
    1. The confirmation message appears. Click OK to suspend persist all events.
      Suspending persist of events in an incident from NetWitness will delete it from the long term cache of the source only. This may not be reversible if the original event data has rolled out in the source database.

Note: You cannot change the event retention for incidents that are in New or Closed state.

Obtain Retention Usage Details

The Retention Usage tab allows an analyst to fetch all the persisted data disc usage stats of all the configured services and the percentage used by the pinned cache directories. This will enable the analyst to determine if the disk is running out of space and if additional space needs to be added or suspend persist on the existing events in an incident.

netwitness_rettab.png

After the analyst clicks on the Retention Usage tab, a Retention Information panel is displayed with the following status:

  • Percentage of the disk used when data is persisted
  • Cache directory is configured or not. In case it is not configured it is explicitly indicated.
  • List of all the status of a configured service. In case the service is not available it is explicitly indicated.

netwitness_rettab1.png

Note: In case the disk space exceeds the usage, a warning message displayed. The service threshold can be configured by navigating to Respond > Services > respond/core/properties > warning-threshold field.

Export Incident Data

The NetWitness Platform XDR enables the analysts to export and store the Incidents with Alerts and Events in JSON format for offline investigation. The Export drop-down allows you to export and download the data (such as fields or attributes) associated with Alerts and Events of the selected Incidents. The data can only be downloaded in JSON format.

Schema Files for Incident ExportSchema Files for Incident Export

The NetWitness Platform XDR provides Schema files (Default and Custom) located at /var/netwitness/respond-server/export-schema to allow you to export only a subset of attributes among the many list of attributes available in Mongo DB for Incidents and Alerts. Default schema files cannot be modified, but the Custom schema files can be modified to add the attributes as required. For more information, see Schema Files for Incidents and Schema Files for Alerts.

Schema Files for Incidents

The Incident Schema files contain various fields or attributes associated with an Incident. Based on the requirement, you can modify these Schema files and download additional fields. The Schema files are categorized into two types:

  • Default Incident Schema File (default_incident_export.json😞 This file contains a default list of attributes associated with the Incidents (in Mongo DB) that are used to export. This pre-populated out-of-the-box file provided by NetWitness Platform XDR must not be modified.

  • Custom Incident Schema File (custom_incident_export.json😞 This is an empty file provided by NetWitness Platform XDR to allow users to download the attributes unavailable in the Default Incident Schema File, but listed in the incident collection in Mongo DB.

    To download the required attributes using Custom Incident Schema File:

    1. Edit the custom_incident_export.json file located at /var/netwitness/respond-server/export-schema to add the required attributes.

    2. Restart the Respond Service.

    3. Export the Incidents data from UI.

      Note:

      - The attributes downloaded using the Custom Incident Schema File include the attributes already listed in the Default Incident Schema File and the newly added attributes.

       

      - By default, URL of an incident is added to the exported report that can be used to route to the incident directly in the
      incident view page.

Schema Files for Alerts

The NetWitness Platform XDR allows you to download various fields or attributes associated with the Original and Normalized alerts.

Original Alerts

The alerts triggered and received through different sources such as Endpoint, User Entity Behavior Analytics (UEBA), Event Stream Analysis (ESA), Malware Analysis, NetWitness Investigate, Reporting Engine, Risk Scoring, Web Threat Detection, and Detect AI are Original Alerts.

Normalized Alerts

The structure or pattern of the Original Alerts varies based on the source from which the alerts are triggered. These alerts are normalized and standardized in the Respond service to unify their structure.

Based on the attributes (associated with the Original and Normalized Alerts) downloaded, the Alerts Schema files are categorized into:

  • Default Original Alerts Schema File (default_alert_original_export.json😞 This file contains a default list of attributes associated with the Original Alerts (in Mongo DB) that are used to export. This pre-populated out-of-the-box file provided by NetWitness Platform XDR must not be modified.

  • Custom Original Alerts Schema File (custom_alert_original_export.json😞 This is an empty file provided by NetWitness Platform XDR to allow you to download the attributes unavailable in the Default Original Alerts Schema File, but listed in the originalAlert (alert > originalAlert) collection in Mongo DB.

  • Default Normalized Alerts Schema File (default_alert_normalized_export.json😞 This file contains a default list of attributes associated with the Normalized Alerts (in Mongo DB) that are used to export. This pre-populated out-of-the-box file provided by NetWitness Platform XDR must not be modified.

  • Custom Normalized Alerts Schema File (custom_alert_normalized_export.json😞 This is an empty file provided by NetWitness Platform XDR to allow you to download the attributes unavailable in the Default Normalized Alerts Schema File, but listed in the alert (alert > alert) collection in Mongo DB.

To export the Incident data:

  1. Go to Respond > Incidents.

  2. In the Incidents List view, select one or more incident and click the Export drop-down.

    netwitness_click_export_tab.png

    IMPORTANT: To access the Export drop-down, you must have access to escalate or remediate the incident.

    Note: The Export drop-down is enabled only in the following scenarios:
    - When an incident is selected in the Incidents List view.
    - When the different set of incidents are selected in the Incidents List view after incident data export.
    - When you select the same set of incidents again in the Incidents List view to export the data.

    Note:
    - You must refresh the page to select the same set of incidents again in the Incidents List view to export the data.
    - You can export data of a maximum of ten incidents at a time. Once the data download is in progress, you can select a different set of incidents (ten incidents) and export their data simultaneously. You can repeat this action until the condition max-user-tasks ( a maximum limit set for exporting the incidents data in the Respond service under rsa.respond.incident.exports) is met.

  3. Select one of the following options in the Export drop-down list to download the files.

    • Original Alerts: Select this option to download the attributes associated with the Original Alerts. For more information, see Original Alerts.

    • Normalized Alerts: Select this option to download the attributes associated with the Normalized Alerts. For more information, see Normalized Alerts.

      netwitness_orgnl_alerts_norm_alerts.png

      Once the file download is initiated, a notification message is displayed.

  4. Click the job queue link.

    netwitness_12.1_job_queue_notification_1122.png

    The Jobs page is displayed.

  5. Select the file and click Download under the Action column once the download status is displayed as Completed under the Status column.

    netwitness_jobs_page.png

Change Incident Priority

The incident list is sorted by Priority by default. You can update the priority as you study the details of the case. The following priorities are available:

  • Critical
  • High
  • Medium
  • Low

Note: You cannot change the priority of a closed incident.

To update the priority of multiple incidents:

  1. In the Incidents List view, select one or more incidents that you would like to change. To select all of the incidents on the page, select the box in the incidents list header row. The number of incidents selected appears in the incidents list footer.
  2. Click Change Priority and select a priority from the drop-down list. In this example, the current priority is High, but the Analyst would like to change it to Critical for the selected incidents.
    netwitness_12.1_updbulkpriorsel_1122_768x393.png
  3. If you select more than one incident, in the Confirm Update dialog, click OK.
    netwitness_updbulkpriorconfirm.png
    You can see a successful change notification. In this example, the status of the updated incidents now show Critical.
    netwitness_12.1_updbulkpriorsuccess_1122_768x393.png

To change the priority of a single incident from the Overview panel

  1. To open the Overview panel, do one of the following:
    • From the Incidents List view, click the row of an incident that needs a priority update.
    • From the Incident Details view, click the Overview tab in the left panel.
      In the Overview panel, the Priority button shows the current priority of the incident.
  2. Click the Priority button and select a status from the drop-down list.

    netwitness_current_priority_grayed_out.png
    You can see a successful change notification. The Priority button changes to show the new incident priority.
    netwitness_updsuccess_384x50.png

    Note: Current priority is grayed out under Priority drop-down list. You will not be able to select the grayed out priority.

Assign Incidents to Other Analysts

You can assign incidents to other Analysts in the same way as you assign incidents to yourself. SOC Managers and Administrators can assign multiple incidents to a user at the same time.

Note: You cannot change the assignee of a closed incident.

To assign multiple incidents to a user:

  1. In the Incidents List view, select the incidents that you would like to assign to a user. To select all of the incidents on the page, select the box in the incidents list header row. The number of incidents selected appears in the incidents list footer.
  2. Click Change Assignee and select a user from the drop-down list. In this example, the incidents are unassigned, but they should be assigned to an Analyst.
    netwitness_12.1_incbulkasgn_1122_768x392.png
  3. If you select more than one incident, in the Confirm Update dialog, click OK.
    You can see a successful change notification. The assignee changes to the selected user.
    netwitness_12.1_incbulkasgnsuccess_1122_768x396.png

To assign a user to an incident from the Overview panel:

  1. To open the Overview panel, do one of the following:
    • From the Incidents List view, click the row of an incident that you would like to assign to a user.
    • From the Incident Details view, click the Overview tab in the left panel.
      In the Overview panel, the Assignee button shows the current assignee of the incident. In the following example, the Assignee button has a current status of Unassigned.
      netwitness_updovrpnlassign_288x386.png
  2. Click the Assignee button and select a user from the drop-down list.
    You can see a successful change notification. The Assignee button changes to show the assigned user.
    netwitness_updsuccess_384x50.png

    Note: Current assignee name is grayed out under Assignee drop-down list. You will not be able to select the grayed out user.

Rename an Incident

You can rename an incident from the Overview panel in the Incidents List view and the Incident Details view. For example, you may want to rename an incident to provide clarification about the issue, especially if multiple incidents have the same name.

  1. Go to Respond > Incidents.
  2. To open the Overview panel, do one of the following:
    • From the Incidents List view, click the row of an incident that needs a name change.
      The Overview panel opens.
    • From the Incident Details view, click the OVERVIEW tab in the left panel.
      In the header above the Overview panel, you can see the incident ID and the incident name.
      netwitness_12.1_incdetovrheader_1122_288x453.png
  3. Click the incident name in the header to open a text editor.
    netwitness_incdetvweditname_288x62.png
  4. Type a new name for the incident in the text editor and click the check mark to confirm the change.
    netwitness_incdetvweditname2_288x113.png
    For example, you can change "High Risk Alerts: ESA for 90.0" to "High Risk Alerts for mail.emc.com" for more clarification.
    You can see a successful change notification.
    netwitness_updsuccess_384x50.png
    The incident name field shows the new name.
    netwitness_incdetvweditname3_288x54.png

View All Incident Tasks

When additional work is required for an incident, you can create tasks for the incident and track the progress on those tasks. This is helpful, for example, when the work being done is outside security operations or you make a request for a computer reimage. In the Tasks List view, you can manage and track the tasks to closure.

  1. Go to Respond > Tasks.
    The Tasks List view displays a list of all incident tasks.
    netwitness_12.1_taskslistvw_1122_768x393.png
  2. Scroll through the tasks list, which shows basic information about each task as described in the following table.
Column

Description

Created Displays the date when the task was created.
Priority Displays the priority assigned to the task. The priority can be any of the following: Critical, High, Medium, or Low. The Priority is also color coded, where red indicates Critical, orange represents High risk, yellow indicates Medium risk, and green represents Low risk as shown in the following figure:
netwitness_prioritylevels.png
ID Displays the task ID.
Name Displays the task name.
Assignee Displays the name of the user assigned to the task.
Status Displays the status of the task: New, Assigned, In Progress, Remediated, Risk Accepted, and Not Applicable.
Last Updated Displays the date and time when the task was last updated.
Created By Displays the user who created the task.
Incident ID Displays the incident ID for which the task was created. Click the ID to display the details of the incident.

At the bottom of the list, you can see the number of tasks on the current page, the total number of tasks, and the number of tasks selected. For example: Showing 6 out of 6 items | 2 selected.

Filter the Tasks List

The number of tasks in the Tasks List can be very large, making it difficult to locate particular tasks. The Filter enables you to specify those tasks that you would like to view, such as tasks created within the last 7 days. You can also search for a specific task.

  1. Go to Respond > Tasks.
    The Filters panel appears to the left of the Tasks list. If you do not see the Filters panel, in the Tasks List view toolbar, click netwitness_ic-filterclosed2_20x20.png, which opens the Filters panel.
    netwitness_tasksfilterspnl_288x617.png
  2. In the Filters panel, select one or more options to filter the incidents list:
    • Time Range: You can select a specific time period from the Time Range drop-down list. The time range is based on the creation date of the tasks. For example, if you select Last Hour, you can see tasks that were created within the last 60 minutes.
    • Custom Date Range: You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of CUSTOM DATE RANGE to view the Start Date and End Date fields. Select the dates and times from the calendar.
      netwitness_custdaterange_288x360.png
    • Task ID: Type the Task ID for a task that you would like to locate, for example REM-123.
    • Priority: Select the priorities that you would like to view.
    • Status: Select one or more incident statuses. For example, select Remediated to view completed remediation tasks.
    • Created By: Select the user who created the tasks that you would like to view. For example, if you only want to view the tasks created by Edwardo, select Edwardo from the CREATED BY drop-down list. If you want to view tasks regardless of the person who created the task, do not make a selection under CREATED BY.

    The Tasks List shows a list of tasks that meet your selection criteria. You can see the number of items in your filtered list at the bottom of the tasks list.
    For example: Showing 6 out of 6 items

  3. If you want to close the Filters panel, click X. Your filters remain in place until you remove them.

Remove My Filters from the Tasks List

NetWitness remembers your filter selections in the Tasks List view. You can remove your filter selections when you no longer need them. For example, if you are not seeing the number of tasks that you expect to see or you want to view all of the tasks in your tasks list, you can reset your filters.

  1. Go to Respond > Tasks.
    The Filters panel appears to the left of the tasks list. If you do not see the Filters panel, in the Tasks List view toolbar, click netwitness_ic-filterclosed2_20x20.png, which opens the Filters panel.
  2. At the bottom of the Filters panel, click Reset Filters.

Create a Task

After you investigate an incident and know more about it, you can create a task, assign it to a user, and track it to closure. You create tasks from the Incident Details view.

  1. Go to Respond > Incidents.
    The Incidents List view displays a list of all of the incidents.
  2. Locate the incident that needs a task and click the link in the ID or Name field.
    netwitness_12.1_createtask1red_1122_768x441.png
  3. In the Journal panel on the right side of the Incident Details view, click the Tasks tab.
    If you do not see the Journal panel, click Journal & Tasks and then click the Tasks tab.
    netwitness_12.1_createtask2red_1122_768x441.png
  4. In the Tasks panel, click Add New Task.
    netwitness_createtask4_288x402.png
    You can see the new task fields.
    netwitness_createtask5_288x361.png
    If the incident is in a closed state (Closed or Closed - False Positive), the Add New Task button is disabled.
  5. Provide the following information:
    • Name - Name of the task. For example: Re-image the machine.
    • Description - (Optional) Type information that describes the task. You may want to include any applicable reference numbers.
    • Assignee - (Optional) Type the username of the user to whom the task is to be assigned.
    • Priority - Click the priority button and select a priority for the tasks from the drop-down list: Low, Medium, High, or Critical.
  6. Click Save.
    You can see a confirmation that your change was successful. The incident status changes to Task Requested. (You may need to refresh the Incident Details view to see the changes.) The task appears in the Tasks panel for this incident.
    netwitness_12.1_createtask6red2_1122_768x441.png
    In the Incidents List view, the incident status also changes to Task Requested.
    netwitness_12.1_createtask7_1122_768x441.png
    The task also appears in the Tasks list (Respond > Tasks), which shows a list of all incident tasks.

Note: If you do not see the status change, you may need to refresh your internet browser.

Find a Task

If you know the Task ID, you can quickly locate a task using the Filter. For example, you may want to locate a specific task out of thousands of tasks.

  1. Go to Respond > Tasks.
    The Filters panel appears to the left of the Tasks list. If you do not see the Filters panel, in the Tasks List view toolbar, click netwitness_ic-filterclosed2_20x20.png, which opens the Filters panel.
    netwitness_findtask.png
  2. In the Task ID field, type the Task ID for a task that you would like to locate, for example REM-1234.

    The specified task appears in your task list. If you do not see any results, try resetting your filters.

Modify a Task

You can modify a task from within an incident and from the Tasks list. For example, you may want to show the status of the task as In Progress and add some additional information to the task. If the task is in a closed state (Not Applicable, Risk Accepted, or Remediated), you cannot modify the Priority or Assignee.

To modify a Task from within an incident:

  1. Go to Respond > Incidents.
    The Incidents List view displays a list of all incidents.

  2. Locate the incident that needs a task update and click the link in the ID or Name field.

  3. In the Journal panel on the right side of the Incident Details view, click the Tasks tab.
    If you do not see the Journal panel, click Journal & Tasks and then click the Tasks tab.
    In the Tasks panel, a pencil icon indicates a text field that you can change. A button indicates that there is a drop-down list to make a selection.
    netwitness_modifytask1_288x289.png
  4. You can modify any of the following fields:
    • Name - Click the current task name to open a text editor.
      netwitness_modifytask2_288x96.png
      Click the check mark to confirm the change. For example, you can change "Re-image the machine" to "Re-image the machine ASAP!"
    • Assignee - Click (Unassigned) or the name of the previous assignee to open a text editor. Type the username of the user to whom the task is to be assigned.
      Click the check mark to confirm the change.
    • Priority - Click the Priority button and select a priority for the task from the drop-down list: Low, Medium, High, or Critical.
    • Status - Click the Status button and select a status for the task from the drop-down list: New, Assigned, In Progress, Remediated, Risk Accepted, and Not Applicable. For example, you can change the status to In Progress.
      netwitness_modifytask3_288x154.png
    • Description - Click the text underneath the description to open a text editor.
      netwitness_modifytask4_288x181.png
      Modify the text and click the check mark to confirm the change.

For each change that you make, you can see a confirmation that your change was successful.

To modify a Task from the Tasks list:

  1. Go to Respond > Tasks.
    The Tasks List view displays a list of all incident tasks.
  2. In the Tasks list, click the task that you want to update.
    The Task Overview panel appears to the right of the tasks list.
    netwitness_12.1_modifytasktl1_1122_768x356.png
    In the Task Overview panel, a pencil icon indicates a text field that you can change. A button indicates that there is a drop-down list to make a selection.
    netwitness_modifytasktl2_288x363.png
  3. You can modify any of the following fields:
    • <Task Name> - At the top of the Task Overview panel, below the Task ID, click the current task name to open a text editor.
      netwitness_modifytasktl3_288x97.png
      Click the check mark to confirm the change. For example, you can change Isolate Host to Isolate Host Machine.
    • Priority - Click the Priority button and select a priority for the task from the drop-down list: Low, Medium, High, or Critical.
    • Status - Click the Status button and select a status for the task from the drop-down list: New, Assigned, In Progress, Remediated, Risk Accepted, and Not Applicable.
    • Assignee - Click (Unassigned) or the name of the previous assignee to open a text editor. Type the username of the user to whom the task is to be assigned.
      netwitness_modifytasktl3a_288x68.png
      Click the check mark to confirm the change.
    • Description - Click the text underneath the description to open a text editor.
      netwitness_modifytasktl4_288x275.png
      Modify the text and click the check mark to confirm the change.

For each change that you make, you can see a confirmation that your change was successful.

Delete a Task

You can delete a task, if, for example, you created it in error or you find that it is not needed. You can delete a task from within an incident and also from the Tasks List view. In the Tasks List view, you can delete multiple tasks at the same time.

To Delete a Task from within an incident:

  1. Go to Respond > Incidents.
    The Incidents List view displays a list of all incidents.

  2. Locate the incident that needs a task update and click the link in the ID or Name field.

  3. In the Journal panel on the right side of the Incident Details view, click the Tasks tab.
    If you do not see the Journal panel, click Journal & Tasks and then click the Tasks tab.
    In the Tasks panel, you can see the tasks created for the incident.
    netwitness_12.1_deltaskinc1_1122_768x414.png
  4. Click netwitness_ic-trashcan.png to the right of the task that you want to delete.
    netwitness_deltaskinc2_288x223.png
  5. Confirm that you want to delete the task and click OK.
    netwitness_delsingletaskspnl_288x155.png
    The task is deleted from NetWitness. Deleting tasks from NetWitness does not delete them from other systems.

To Delete Tasks from the Tasks List:

  1. Go to Respond > Tasks.
    The Tasks List view displays a list of all incident tasks.
  2. In the Tasks list, select the tasks that you want to delete and click Delete.
    netwitness_12.1_deltasklist1_1122_768x375.png
  3. Confirm that you want to delete the tasks and click OK.
    netwitness_deltasklist2_288x117.png
    The tasks are deleted from NetWitness. Deleting tasks from NetWitness does not delete them from other systems.

Close an Incident

When you have arrived at a solution after investigating an incident and remediating it, you close the incident.

  1. Go to Respond > Incidents.
  2. In the Incident List view, select the incident that you want to close and click Change Status.
  3. Select Closed from the drop-down list.
    You can see a successful change notification. The incident is now closed. You cannot change the priority or assignee of a closed incident.

Note: You can also close an incident in the Overview panel. You can close multiple incidents at the same time in the Incident List view. Change Incident Status provides additional details.