Incident Details View

In the Incident Details view (Respond > Incidents > click an ID or NAME hyperlink in the Incidents List), you can view and access extensive incident details. The Incident Details view contains multiple panels that provide the following benefits:

  • Overview: View an incident summary and update the incident.
  • Indicators: View the indicators (alerts) involved in the incident, the events within those alerts, and available enrichment information. You can also access Event Analysis details for some events and perform event reconnaissance.
  • Related Indicators: View indicators (alerts) that are related to the incident and add them to the incident if they are not associated with an incident.
  • History: View all the actions performed by the user on any incident.
  • Nodal Graph: Visualize the size and interactions between entities (IP address, MAC address, user, host, domain, file name, or file hash).
  • Events List: Study the events associated with the incident.
  • Journal: Add notes and collaborate with other analysts.
  • Tasks: Create incident tasks and track them to closure.

You can also filter the data in the Incident Details view to study indicators and entities of interest.

Workflow

This workflow shows the high-level process that Incident Responders use to respond to incidents in NetWitness.

netwitness_incdetails_ui_wf_576x150.png

In the Incident Details view, you can use the extensive information provided about the incidents to determine which incidents require action. You also have the tools and information to investigate the incident, and then escalate or remediate it.

What do you want to do?

Role I want to ... Show me how

Incident Responders, Analysts, and SOC Manager

View prioritized incidents, filter and sort the incident list, find incidents, view my incidents, and assign incidents to myself.

Review Prioritized Incident List

Incident Responders, Analysts View incident details.* View Incident Details
Incident Responders, Analysts View alerts and enrichments.* View the Indicators and Enrichments
Incident Responders, Analysts View events.* View and Study the Events
Incident Responders, Analysts (Additional permissions required) View event analysis for an event.* View Event Analysis Details for Indicators
Incident Responders, Analysts View a graph of the entities involved in the events.* View and Study the Entities Involved in the Events on the Nodal Graph
Incident Responders, Analysts Filter the incident data.* Filter the Data in the Incident Details View
Incident Responders, Analysts View and add incident notes.* View Incident Notes and Document Steps Taken Outside of NetWitness
Incident Responders, Analysts View and create tasks.* View the Tasks Associated with an Incident and Create a Task
Incident Responders, Analysts Add related alerts and add them to the incident.* Find Related Indicators and Add Related Indicators to the Incident
Incident Responders, Analysts View contextual information about an incident from Context Hub.* View Contextual Information
Incident Responders, Analysts Reduce false positives by adding an entity to a whitelist.* Add an Entity to a Whitelist
Incident Responders, Analysts Pivot to NetWitness Investigate.*

Pivot to the Investigate > Events View

Incident Responders, Analysts Pivot to NetWitness Endpoint.* Pivot to NetWitness Endpoint Thick Client
Incident Responders, Analysts, and SOC Manager Send an incident to Archer Cyber Incident & Breach Response.* Send an Incident to Archer
Incident Responders, Analysts Update or close an incident.*

Update an Incident and Close an Incident

Incident Responders, Analysts, and SOC Manager

View all tasks.

Escalate or Remediate the Incident

Incident Responders, Analysts, and SOC Manager

Bulk update incidents and tasks.

Escalate or Remediate the Incident

*You can complete these tasks here (that is, in the Incident Details view).

Related Topics

Quick Look

The following example shows the locations of the Incident Details view panels.

Incident Details view Quick Look Diagram

Incident Details view Quick Look Diagram showing Event Analysis in the Respond view

Incident Details view Quick Look Diagram showing UEBA in the Respond view

netwitness_history_view.png

1 Overview (Click the Overview tab to view the Overview panel.)
2 Indicators Panel
3 Related Indicators Panel (Click the Find Related tab to view it.)
4 Nodal Graph
5 Events List (Click the top of an event in the Events List to view event details.)
6 Journal Panel
7 Tasks Panel (Click the Tasks tab to view it.)
8 Events (Click an event type hyperlink in the Indicators panel, such as Network, to view the Events view from Investigate for a specific indicator event.)
9 UEBA (Click a User Entity Behavior Analytics hyperlink in the Indicators panel to view UEBA.)
10 History Panel

Note: Your Incident Details view may not look like these diagrams because the layout changed in NetWitness 11.3.2 and later versions.
The Related tab is renamed as the Find Related tab and is located on the left-side panel.
The journal is open by default on the right-side panel. When the journal is closed, the Journal & Tasks button enables easy access to notes and tasks.

Overview Panel

The Overview panel shows basic summary information about a selected incident. It also allows you to change the incident name and update the incident priority, status, and assignee. The Overview panel in the Incidents List view contains the same information. The Incidents List view Incident Overview Panel topic provides details.

To view the Overview panel in the Incident Details view, click the Overview tab in the left panel.

netwitness_time_to_resolve_incident_overview.png

Indicators Panel

The Indicators panel contains a chronological listing of indicators. Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert. (This is different than a timeline, which provides a visual representation of the timing of the events in the incident). This listing helps you to connect indicators and notable data. For example, an IP address connected to a command and communication ESA alert might also have triggered a NetWitness Endpoint alert or other suspicious activities.

To view the Indicators panel, in the left panel of the Incident Details view, click the Indicators tab.

netwitness_incdetql9_384x757.png

Data source information is shown below the names of the indicators. You can also see the creation date and time of the indicator and the number of events in the indicator. In the Indicators panel, you can drill deeper into the events associated with the listed indicators to get a better understanding of the events.

Note: The maximum number of indicators (alerts) displayed in the Indicators panel is 1,000.

Related Indicators Panel

The Related Indicators panel enables you to search the NetWitness alerts database to find alerts that are related to this incident. You can add alerts that you find to the incident if they are not already associated with an incident.

To view the Related Indicators panel, in the left panel of the Incident Details view, click the Find Related tab.

netwitness_findalertsrelated_384x809.png

The following table describes the fields in the search section at the top of the panel.

Field Description

Find

Select the entity that you would like to locate in the alerts. For example, IP.

Value

Type the value of the entity. For example, type the actual IP address of the entity.

When

Select a time range to search for the alerts. For example, Last 24 hours.

Find button

Initiates the search. A list of related indicators appear below the Find button in the Indicators for section.

The following table describes the options in the Indicators for (results) section at the bottom of the panel.

Option Description
Indicators For: Shows the search results.

Open in new window link

Shows alert details for the indicator.

Add To Incident button

Adds the related indicator to the incident. The related indicator adds to the Indicators panel.

Part Of This Incident button

Shows that the indicator is already part of the incident.

 

History Panel

The History panel displays every action performed by the user on an incident. The various actions performed on an incident are as shown below

  • Incident Assignee Change

  • Incident Status Change

  • Incident Priority Change

  • Incident Creation

Every time a user performs an action on an incident, the date and time also gets recorded and is displayed in the panel. Consider the following example

netwitness_hstry_panel.png

The different actions performed by the user are described below

  • In this example, the Incident INC-4393960 was created by the user (System) on 18/04/2022 at 09:05:12 am.

    netwitness_hstry_panel_inc_creation.png

  • After the incident creation, PSR_admin assigned the incident to Admin on 18/04/2022 at 09:07:55 am. Hence, the status of the incident is changed from New to Assigned.

    netwitness_hstry_panel_unassigned_to_admin.png

    netwitness_hstry_panel_new_to_assigned.png

  • Later, PSR_admin changed the Incident assignee from Admin to PSR_admin on 18/04/2022 at 09:08:00 am.

    netwitness_hstry_panel_admin_to_psr_admin.png

  • After changing the assignee, PSR_admin changed the Incident status from Assigned to In Progress on 18/04/2022 at 09:08:09 am.

    netwitness_hstry_panel_status_assigned_to_in_progress.png

  • Later, the Incident priority was changed from Critical to High on 18/04/2022 at 09:08:14 am by PSR_admin.

    netwitness_hstry_panel_priority_change.png

Events

You can perform an event analysis from the Indicators panel. Event counts preceded by an EA (event analysis) icon have event reconnaissance information available: netwitness_viewea2.png. You can select an event type hyperlink, such as Network, to access the Events panel for the selected event.

In the Events panel, you can view raw events and metadata with interactive features that enhance your ability to find meaningful patterns in the data. You can examine network, log, and endpoint events. The Events panel in the Respond view shows the Events view from Investigate for specific indicator events. For detailed information about the Events view, see the NetWitness Investigate User Guide.

netwitness_eventanalpnl_768x485.png

Note: Migrated incidents from NetWitness versions before 11.2 will not show the Events panel in the Respond Incident Details view Indicators panel. Likewise, if you use alerts that were migrated from versions before 11.2 to create incidents in 11.5, you will also not be able to view the Events panel in the Respond view for those incidents.

User Entity Behavior AnalyticsUser Entity Behavior Analytics

NetWitness UEBA (User and Entity Behavior Analytics) is an advanced analytics solution for discovering, investigating, and monitoring risky behaviors across all users and entities in your network environment. You can access UEBA from the Respond Incident Details view Indicators panel. Indicators with a User Entity Behavior Analytics hyperlink have additional UEBA information available. For detailed information about UEBA, see the NetWitness UEBA User Guide.

netwitness_12.1_eventdetailsueba_1122_768x360.png

Nodal Graph

The nodal graph is an interactive graph that shows the entities involved in the incident. An Entity is represented by an IP address, MAC address, user, host, domain, file name, or file hash.

netwitness_incdetql8_768x664.png

netwitness_nodalsingleuser.png

Nodes

In the nodal graph, circles represent nodes. The following table describes the nodal graph node types.

Node Description

IP address

If the event is a detected anomaly, you can see a Detector IP. If the event is a transaction, you can see a Destination IP and a Source IP.

MAC address

You may see a MAC address for each type of IP address.

User

If the machine is associated with a user, you can see a user node.
Host A host can be physical equipment or a virtual machine, designated by a Fully Qualified Domain Name (FQDN) or IP address, on which any service is installed.
Domain If a host is associated with a domain, you can see a domain node.
Filename If the event involves files, you can see a filename.

File Hash

If the event involves files, you may see a file hash.

The legend at the bottom of the nodal graph shows the number of nodes of each type and the color coding of the nodes. It also helps you to locate the entities when the values, such as the IP addresses, are hashed.

You can click any node and drag it to reposition it.

In NetWitness, you can select the node types that you want to view by clearing or selecting the checkboxes in the legend. The following figure shows an example nodal graph legend with all node types selected except IP.
netwitness_11.2_nodallegend_672x47.png

Arrows

The arrows between the nodes provide additional information about the entity relationships. The following table describes the nodal graph arrow types.

Arrow Description
Communicates with An arrow between a Source machine node (IP address or MAC address) and a Destination machine node labeled with "communicates with" shows the direction of the communication.
Has file An Arrow between a machine node (IP address, MAC address, or Host) and a file hash node labeled with "has file " indicates that the IP address has that file.
Uses An arrow between a User node and a machine node (IP address, MAC address, or Host) labeled with "uses" shows the machine that the user was using during the event.

Calls

An arrow between two file hash (checksum) nodes labeled with "calls" indicates the direction of the interaction between the associated files. The source file hash "calls" the target (destination) file hash, which indicates that the source file associated with the source file hash is performing an action on the target file associated with the target file hash.

As

(This relationship type represents attributes of the connected node.) An arrow between nodes labeled with "as" provides additional information about the IP address that the arrow points to. For example, if there is an arrow from the host node circle that points to an IP address node that is labeled with "as", it indicates that the name on the host node circle is the hostname of that IP address and is not a different entity.

Is named (This relationship type represents attributes of the connected node.) An arrow from a File Hash node to a File Name node labeled with "is named" indicates that the file hash corresponds to a file with that name.

Belongs to

(This relationship type represents attributes of the connected node.) An arrow between two nodes labeled with "belongs to" indicates that they pertain to the same node. For example, an arrow between a MAC address and a Host labeled with "belongs to" indicates that it is the MAC address of the host.

Larger line size arrows indicate more communication between the nodes. Larger nodes (circles) indicate more activity than smaller nodes. The larger nodes are the most common entities mentioned in the events.

Events List

The Events List shows the events associated with the incident. It shows information about the events, such as event time, source IP, destination IP, detector IP, source user, target user, and file information about the events. The amount of information listed depends on the event type. The maximum number of events displayed in the Events List is 1,000.

The following figure shows an Events List for network events.

netwitness_eventslist_768x539.png

Note: The EVENT TIME displayed on this screen is the same as the COLLECTION TIME from the investigation page.

Each event has a header row with the following information:

  • Risk score: This is the risk score of the indicator (alert) that contains the event.
  • Title: This is the name of the event.
  • (Event x of x): This indicates the number of the event out of the total number of events in the indicator.

For example, the following event header shows that this event is event 2 of 2 for an indicator (alert) that has a risk score of 90. The event name is In Program Data Followed by SSL Over Non Standard Port.
netwitness_11.3eventheader.png

The following table describes the fields in the Events List for network or log events.

Field

Description

EVENT TIME Shows the time the event occurred.
EVENT TYPE Shows the type of alert, such as Log and Network.

DETECTOR IP

Shows the IP address of the machine where an anomaly was detected

FILE NAME Shows the file name if a file is involved with the event.

FILE HASH

Shows a hash of the file contents.

SOURCE IP Shows the source IP address if there was a transaction between two machines.

SOURCE PORT

Shows the source port of the transaction. The source and destination ports can be on the same IP address.

SOURCE HOST Shows the destination host where the event took place.

SOURCE MAC

Shows the MAC address of the source machine.

SOURCE USER Shows the user of the source machine.

TARGET IP

Shows the destination IP address if there was a transaction between two machines

TARGET PORT Shows the destination port of the transaction. The source and destination ports can be on the same IP address.

TARGET HOST

Shows the HOST name of the destination machine.

TARGET MAC Shows the MAC address of the destination machine.

TARGET USER

Shows the user of the destination machine.

The following figure shows an Events List for NetWitness Endpoint events.

netwitness_eventslist_ep_768x475.png

The following table describes the fields in the Events List for NetWitness Endpoint events. NetWitness Endpoint events have an Endpoint Event Type and an nwendpoint Device Type. NetWitness Endpoint events from version 4.4.x and earlier can have an Event Type that shows the origin of the event.

Field

Description

EVENT TIME Shows the time the event occurred.
EVENT TYPE Shows the type of alert, such as Endpoint or Log. NetWitness Endpoint events have an Endpoint event type. NetWitness Endpoint events from version 4.4.x and earlier can have an Event Type that shows the origin of the event.
CATEGORY Shows the NetWitness Endpoint category.
ACTION Shows the action that the file performed.
HOSTNAME Shows the name of the machine that is running the agent.
USER ACCOUNT Shows the username of the actively logged in user.
OPERATING SYSTEM Shows the operating system of the agent.
FILE HASH Shows the checksum of the file.
SOURCE FILENAME Shows the name of the source file.
SOURCE LAUNCH ARGUMENT Shows the command line argument for the running process.
SOURCE PATH Shows the path of the source file.
SOURCE HASH Shows the checksum of the source file.
SOURCE IP ADDRESS Shows the IP address of the agent.
SOURCE PORT Shows the source port of the connection.
TARGET FILENAME Shows the name of the target file.
TARGET LAUNCH ARGUMENT Shows the command line argument for the running process.
TARGET PATH Shows the path of the target file.
TARGET HASH Shows the checksum of the target file.
TARGET IP ADDRESS Shows the destination IP address of this NetWitness activity.
TARGET PORT Shows the destination port of the connection.
EVENT SOURCE Shows the hostname or IP address along with the port of the of the Core service that holds the event information.
DEVICE TYPE Shows the type of the device from which the data is sent or collected. For example, it shows nwendpoint for NetWitness Endpoint.

Event DetailsEvent Details

To view the event details, you can click the top of an event in the Events List. The details appear below the event. Viewing inline event details enables you to keep the context of the event as it relates to the other events.

The following figure shows an indicator (alert) selected in the Indicators panel. The events for that indicator appear in the Events List on the right.

netwitness_12.1_eventdtlsoneevent2_1122_768x448.png

The following figure shows a specific indicator event selected in the Indicators panel. Information about the selected event appears in the Events List on the right.

netwitness_12.1_eventdetails3_1122_768x443.png

Journal Panel

The incident Journal shows the history of activity on your incident.

netwitness_journalpnlql_288x534.png

The following table describes the New Journal Entry options.

Field Description
New Journal Entry Type your note in the field.
Milestone (Optional) Select a milestone, if applicable. This field is used to track significant events for the incident.
Submit button Click submit to add an entry to the journal. You journal entry will be visible to anyone who views the incident.

Tasks Panel

In the Tasks panel, you can manage and track the incident tasks to closure.

netwitness_incdetql2_288x572.png

The following table describes the Task fields.

Field Description
<Task ID / <Incident ID> The autogenerated Task ID / The incident associated with the task.
Created The created date of the task.
Last Updated The date that the task was last modified.
Opened The time that passed since the task was opened. For example, 3 minutes ago or 2 days ago.
Name The name of the task. For example: Re-image the machine. You can click this field to edit it.
Assignee The username of the user assigned to the task. You can click this field to edit it.
Priority The priority of the task: Low, Medium, High, or Critical. You can click the priority button and select a new priority for the task from the drop-down list.
Status The status of the task: New, Assigned, In Progress, Remediated, Risk Accepted, and Not Applicable. You can click the status button and select a new status for the task from the drop-down list.
Description Type information that describes the task. You may want to include any applicable reference numbers. You can click this field to edit it.

Toolbar ActionsToolbar Actions

Option Description
netwitness_ic-backtoinc_30x31.png (Back to Incidents) Enables you to navigate back to the Incidents List view.
netwitness_ic-x-close_30x30.png Closes the panel.

netwitness_ic-trashcan_30x30.png

Deletes the entry, such as a journal entry or task.
Priority button (In the Overview panel) Allows you to change the Priority of one or more selected incidents in the Incidents List.
Status button (In the Overview panel) Allows you to change the Status of one or more selected incidents.
Assignee button (In the Overview panel) Allows you to change the Assignee of one or more selected incidents.
netwitness_ic-nodal_graph.png Enables you to view the Nodal Graph.
netwitness_ic-events_list.png Enables you to view the incident Events List. Clicking the top of an event enables you to view the event details below it.
netwitness_ic-journalrespond.png Enables you to view incident notes and tasks.
netwitness_ic-11.3.1_journalrespond_30x30.png
(Journal, Tasks, and Related)
(This option is available in NetWitness Version 11.3.1 and earlier 11.x versions.) Enables you to view the Journal, Tasks, and Related Indicators panels.
netwitness_ic_ea_showhide.png Enables you to show or hide the event header, request, response, and metadata in the Events panel in the Respond Incident Details view. For more information about event analysis, see "Events View" in the NetWitness Investigate User Guide.