Incidents List View

The Incidents List view (Respond > Incidents) shows Incident Responders and other Analysts a prioritized results list of incidents created from various sources. For example, your results list could show incidents created from ESA rules or NetWitness Endpoint. From the Incidents List view, you have easy access to the information that you need to quickly triage and manage incidents through completion.

Workflow

This workflow shows the high-level process that Incident Responders use to respond to incidents in NetWitness.

netwitness_inclist_ui_wf_576x150.png

In the Incidents List view, you can review the list of prioritized incidents, which shows basic information about each incident. You can also change the assignee, priority, and status of the incidents. Because the results can be large in the incidents list, you have the option to filter those incidents by time range, incident ID, custom date range, priority, status, assignee, and categories.

What do you want to do?

Role I want to ... Show me how

Incident Responders, Analysts, and SOC Manager

View prioritized incidents*

Review Prioritized Incident List

Incident Responders, Analysts, and SOC Manager

Filter and sort the incident list* Filter the Incident List
Incident Responders, Analysts View my incidents* View My Incidents
Incident Responders, Analysts Assign incidents to myself* Assign Incidents to Myself

Incident Responders, Analysts, and SOC Manager

Find Incidents* Find an Incident

Incident Responders, Analysts, and SOC Manager

Send an incident to Archer Cyber Incident & Breach Response or update an incident.*

Escalate or Remediate the Incident

Incident Responders, Analysts View incident details.

Determine which Incidents Require Action

Incident Responders, Analysts Further Investigate an incident. Investigate the Incident
Incident Responders, Analysts, and SOC Manager Create a task. Escalate or Remediate the Incident

*You can complete these tasks here (that is, in the Incidents List view).

Related Topics

Quick Look

The following example shows the initial Incidents List view with the Filter panel. You can open the Overview panel for an incident by clicking an incident in the Incident List.

Incidents List view diagram showing Filter Panel and access to Overview Panel

1 Filters Panel
2 Incidents List
3 Overview Panel

You can go directly to the Incident Details view from the Incidents List by clicking the hyperlinked ID or NAME. The Overview panel is also available in the Incident Details view. For more information about the Incidents Details view, see Incident Details View.

Incidents List View

To access the Incidents List view, go to Respond > Incidents. The Incidents List view displays a list of all incidents. The Incidents List view consists of a Filters panel, an Incidents List, and an Incidents Overview panel.

The following figure shows the Filter Panel on the left and the Incidents List on the right.

netwitness_12.1_inclistview2_1122.png

The following figure shows the incident Overview panel on the right.

netwitness_12.1_inctaskrequest_1122.png

Incidents List

The Incidents List shows a list of all of the prioritized incidents. You can filter this list to show only incidents of interest.

Column Description
Created Shows the creation date of the incident.
Priority Shows the incident priority. Priority can be Critical, High, Medium, or Low.

The Priority is color coded, where red indicates a Critical incident, orange represents a High risk incident, yellow indicates a Medium risk incident, and green represents a Low risk incident. For example:

netwitness_prioritylevels.png

Risk Score

Shows the incident risk score. The risk score indicates the risk of the incident as calculated by an algorithm and is between 0-100. 100 is the highest risk score.

ID Shows the automatically created incident number. Each incident is assigned a unique number that you can use to track the incident.
Name Shows the incident name. The incident name is derived from the rule used to trigger the incident. Click the link to go to the Incident Details view for the selected incident.
Status

Shows the incident status. The status can be: Reopen, New, Assigned, In Progress, Task Requested, Task Complete, Closed, and Closed-False Positive.

Assignee Shows the team member currently assigned to the incident.
Alerts Shows the number of alerts associated with the incident. An incident may include many alerts. A large number of alerts might mean that you are experiencing a large-scale attack.
MITRE ATT&CK Tactics

Shows the particular Tactic associated with each Incident.

For example: Credential Access.

For more information on MITRE ATT&CK Tactics, see Use MITRE ATT&CK® Framework topic.

At the bottom of the list, you can see the number of incidents on the current page, the total number of incidents, and the number of incidents selected. For example: Showing 1000 out of 2517 items | 2 selected. The maximum number of incidents that you can view at one time is 1,000.

Incident Filters Panel

The following figure shows the filters available in the Filters panel.

incident_filters_panel.PNG

The Filters panel, on the left of the Incidents List view, has options that you can use to filter the incidents list. When you navigate away from the Filters panel, the Incidents List view retains your filter selections.

Option Description
Saved Filters You can select a saved filter to filter the incident list. Saved filters are global. You can save a filter for other analysts to use and you can use any saved filter. Saved filters are also available for use on the Springboard landing page. Filters used in the Springboard cannot be deleted. (This option is available in NetWitness Platform 11.5 and later.)
Time Range You can select a specific time period from the Time Range drop-down list. The time range is based on the received date of the alerts. For example, if you select Last Hour, you can see alerts that were received within the last 60 minutes.
Custom Date Range You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of Custom Date Range to view the Start Date and End Date fields. Select the dates and times from the calendar.
netwitness_custdaterange_240x300.png
Incident ID Type the number of the incident that you would like to locate. For example, for INC-1050, type only the number "1050" to view the incident.
Incident Name

Enter the exact name of the Incident or a part of it to filter the list of required incidents. Select one of the following options to filter the list of required Incidents:

  • Contains: Select this option and enter the common term specified in the Incident names (of the required Incidents) to obtain a list of filtered Incidents in the Incidents List view.

  • Equals: Select this option and enter the exact name of the required Incident to obtain the filtered incident in the Incidents List view.

incident_name.PNG

Priority Select the priorities that you would like to view.
Status Select one or more incident statuses. For example, select Closed - False Positive to view only false positive incidents, which were initially identified as suspicious, but then they were later found to be safe.
Assignee Select the assignee or assignees of the incidents that you would like to view. For example, if you only want to view the incidents assigned to Cale or Stanley, select Cale and Stanley from the Assignee drop-down list. If you want to view incidents regardless of the assignee, do not make a selection under Assignee.
(Available in NetWitness Version 11.1 and later) To view only unassigned incidents, select Show only unassigned incidents.
Categories Select one or more categories from the drop-down list. For example, if you only want to view incidents classified with the Backdoor or Privilege abuse categories, select Backdoor and Privilege abuse.
MITRE ATT&CK Tactics Select the tactic associated with the incident.
MITRE ATT&CK Techniques Select the technique associated with the incident.
Sent to Archer (In NetWitness Version 11.2 and later, if Archer is configured as a data source in Context Hub, you can send incidents to Archer Cyber Incident & Breach Response and this option will be available in NetWitness Respond.) To view incidents that were sent to Archer, select Yes. For incidents that were not sent to Archer, select No.
Reset Removes your filter selections. If you reset filters on a saved filter, it takes you to the default empty filter.
Save Saves the currently applied incidents filter or updates a saved filter. For a new filter, choose a unique name that contains 1-256 alphanumeric characters, underscores, or hyphens. (This option is available in NetWitness Platform 11.5 and later.)
Save As Saves the currently applied incidents filter for future use. Choose a unique name that contains 1-256 alphanumeric characters, underscores, or hyphens. (This option is available in NetWitness Platform 11.5 and later.)

Incident Overview Panel

The Overview panel shows basic summary information about a selected incident. From the Incidents List, you can click an incident to access the Overview panel. The Overview panel in the Incident Details view contains the same information.

 

netwitness_time_to_resolve_incident_overview.png

The following table lists the fields displayed in the Incident Overview panel.

Field

Description

<Incident ID> Displays the Incident ID.
Send to Archer / Sent to Archer (In NetWitness Version 11.2 and later, if Archer is configured as a data source in Context Hub, you can escalate incidents to Archer Cyber Incident & Breach Response and this option will be available in NetWitness Respond.)
Shows whether the incident was sent to Archer Cyber Incident & Breach Response:
  • Send to Archer: The incident was not sent to Archer. You can click the Send to Archer button to send the incident to Archer Cyber Incident & Breach Response for additional processing. This action is not reversible.
    netwitness_sendtoarchbutton.png
  • Sent to Archer: The incident was sent to Archer Cyber Incident & Breach Response for additional analysis and action.
    netwitness_senttoarchnotif.png
<Incident Name> Displays the name of the incident. You can click the incident name to change it. For example, rules can create many incidents with the same name. You can change the incident names to be more specific.
Created Shows the creation date and time of the incident.
Rule / By Shows the name of the rule that created the incident or the name of the person who created the incident.
RiskScore Shows a value between 0 and 100 that indicates the risk of the incident as calculated by an algorithm. 100 is the highest risk score.
Priority Shows the incident priority. Priority can be Critical, High, Medium or Low. To change the priority, you can click the Priority button and select a new priority from the drop-down list.
Status Shows the incident status. The status can be Reopen, New, Assigned, In Progress, Task Requested, Task Complete, Closed, and Closed - False Positive. To change the status, you can click the Status button and select a new status from the drop-down list.
Assignee Shows the team member currently assigned to the incident. To change the assignee you can click the Assignee button and select a new assignee from the drop-down list.
Sources Displays the data sources used to locate the suspicious activity.
Categories Displays the categories of the incident events.
Catalysts Displays the count of indicators that gave rise to the incident.

External ID

Allows storing the Incident ID referrals from a different platform.

Note: Click Send to Archer to generate the External ID. The ID generated is automatically stored as External ID.

Time to Acknowledge Displays the time taken to assign an Incident after creating it.

Time to Detect

Displays the time taken for completing the task after the Incident is assigned.

Time to Resolve Displays the time taken for closing the task after the Incident is created.

Persisted Status

Displays the persist status of the Incident. The status can be Complete, Partial, or None (-).

MITRE ATT&CK Tactics

 

Displays the tactic associated with the incident.

MITRE ATT&CK Techniques

Displays the technique associated with the incident.

Toolbar Actions

This table lists the toolbar actions available in the Incidents List view.

Option Description
netwitness_ic-filterclosed2.png Enables you to open the Filters panel so that you can specify the incidents that you would like to see in the Incidents List.

netwitness_ic-x-close2.png

Closes the panel.
Change Priority button Allows you to change the Priority of one or more selected incidents in the Incidents List.
Change Status button Allows you to change the Status of one or more selected incidents.
Change Assignee button Allows you to change the Assignee of one or more selected incidents.
Delete button Allows you to delete the selected incidents if you have the appropriate permissions, such as an Administrator or Data Privacy Officer.
Retention Usage button Allows an analyst to fetch all the stats of all the configured services and the percentage used by the pinned cache directories.