Investigate the Incident

To further investigate an incident within the Incident Details view, you can find links that take you to additional contextual information about the incident when it is available. This additional context can help you understand additional technical context and business context about a specific entity in the incident. It can also provide additional information that you may want to research to ensure that you understand the full scope of the incident.

You can perform the following procedures to further investigate an incident:

View Contextual Information

In the Indicators panel, Events List, or the Nodal Graph, you can view the underlined entities. If an entity is underlined, NetWitness is populating information about that entity type in the Context Hub. There may be additional information available about that entity in the Context Hub.

The following figure shows underlined entities in the Indicators panel and the Nodal Graph.

netwitness_12.1_undlentdetvw_1122_768x463.png

The following figure shows underlined entities in the Events list details.

netwitness_12.1_undlentevtdetail_1122_768x463.png

The Context Hub is preconfigured with meta fields mapped to the entities. NetWitness Respond and NetWitness Investigate use these default mappings for context lookup. For information about adding meta keys, see "Configure Settings for a Data Source" in the Context Hub Configuration Guide.

Caution: For the Context Lookup to work correctly in the Respond and Investigate views, NetWitness recommends that when mapping meta keys in the Admin > System > Investigation > Context Lookup tab, you add only meta keys to the Meta Key Mappings, not fields in the MongoDB. For example, ip.address is a meta key and ip_address is not a meta key (it is a field in the MongoDB).

To view contextual information:

  1. In the Indicators panel, Events List, or the Nodal Graph, left or right-click an underlined entity.
    A context tooltip appears with a quick summary of the type of context data that is available for the selected entity.
    netwitness_context1_480x284.png
    The information in the Context Highlights section helps you to determine the actions that you would like to take. It can show related data for Incidents, Alerts, Lists, Endpoint//, Criticality, Asset Risk, Reputation, and Threat Intelligence (TI). Depending on your data, you may be able to click these items for more information.
    The above example shows 0 related incidents, 6800 alerts, 0 lists for the selected host, 0 incidents for TI, and no information available for Endpoint, Live Connect, Criticality, and Asset Risk.
    TI information comes from the STIX data source configured in Context Hub. For more information, see the Context Hub Configuration Guide.
    The Actions section lists the available actions. In the above example, the Add/Remove from List, Pivot to Investigate > Navigate, Pivot to Investigate > Hosts/Files and Pivot to Endpoint Thick Client options are available.
  2. Note: The Pivot to Archer link is disabled when Archer data is not available or when the Archer data source is not responding. Check that the Archer configuration is enabled and configured properly.

    For more information, see Pivot to the Investigate > Events View, Pivot to Archer, Pivot to NetWitness Endpoint Thick Client, Pivot to the Hosts or Files View, and Add an Entity to a Whitelist.

  3. To see more details about the selected entity, click the View Context button.
    The Context Lookup panel opens and shows all of the information related to the entity.
    The following example shows contextual information for a selected host. It lists all of the incidents that mention that host.
    netwitness_12.1_contextpanel_information_1122_576x362.png
    To understand the different views within the Context Hub Lookup panel, see
    Context Lookup Panel - Respond View.


Add an Entity to a Whitelist

You can add any underlined entity to a list, such as a Whitelist or Blacklist, from a context tooltip. For example, to reduce false positives, you may want to whitelist an underlined domain to exclude it from the related entities.

  1. In the Indicators panel, Events List, or the Nodal Graph, left or right-click the underlined entity that you would like to add to a Context Hub list.
    A context tooltip appears showing the available actions.
    netwitness_add_removelist1_480x382.png
  2. In the ACTIONS section of the tooltip, click Add/Remove from List.
    The Add/Remove from List dialog shows the available lists.
    netwitness_chtooltipaddto2.png
  3. Select one or more lists and click Save.
    The entity appears on the selected lists.
    Add/Remove from List Dialog provides additional information.

Create a List

You can create lists in Context Hub from the Respond view. In addition to using lists to whitelist and blacklist entities, you can use lists to monitor entities for abnormal behavior. For example, to improve the visibility of a suspicious IP address and Domain under investigation, you may want to include them in two separate lists. One list could be for domains suspected of being related to command and control connections, and another list could be for IP addresses related to remote access Trojan connections. You can then identify indicators of compromise using these lists.

To create a list in Context Hub:

  1. In the Indicators panel, Events List, or the Nodal Graph, left or right-click the underlined entity that you would like to add to a Context Hub list.
    A context tooltip opens showing the available actions.
  2. In the Actions section of the tooltip, click Add/Remove from List.
  3. In the Add/Remove from List dialog, click Create New List.
    netwitness_chnewlist.png
  4. Type a unique List Name for the list. The list name is not case sensitive.
  5. (Optional) Type a Description for the list.
    Analysts with the appropriate permissions can also export lists in CSV format to send to other analysts for further tracking and analysis. The Context Hub Configuration Guide provides additional information.

View the Reputation Status of a File Hash

The File Reputation service available on RSA Live checks the reputation of every file hash against an extensive database of known file hashes updated in real-time. The file reputation is displayed in the Investigate and Respond views. In the View Context lookup, if the reputation status changes, Context Hub notifies the change in reputation status to all Endpoint servers. Information about the file hash such as any suspicious or malicious activity on the file is populated from Context Hub. There may be additional information available about that entity in the Context Hub.

The following table describes the file hash reputations.

Reputation Description
Malicious File hash is labeled as malicious.
Suspicious File hash is suspected to be malicious.
Unknown File hash is not known.
Known File hash information is known to the file reputation service and does not have any previous bad record.

Known Good

File hash information is known good, such as files signed by Microsoft or NetWitness.

Invalid File hash format is invalid.

Note: A reputation status is visible for a file hash entity only and File Reputation service supports a maximum of 10 million files for a reputation of file hash.

The suspicious or malicious files are available for further analysis in the Investigate > Navigate view and Investigate > Events view. For more information on the file reputation service, see the Live Services Management Guide and the NetWitness Endpoint User Guide.

To view the reputation of a file hash:

    1. Go to Respond > Incidents.
    2. In the Incidents List view, choose an incident to view and then click the link in the ID or Name column for that incident.
      netwitness_12.1_incidentstab_reputation_1122_768x410.png

    1. In the Incident Details view, left or right click the file hash entity.
      The context tooltip displays the reputation status of the selected file hash entity.

      netwitness_12.1_reputation_1122_342x265.png

    2. Click Reputation to view the reputation status information.
    3. Click the File Reputation icon netwitness_flrepds.png to view further details.
      The details for reputation status are displayed.
      netwitness_reputationdatasourcescreen_672x167.png

  • Pivot to the Investigate > Events View

    For a more thorough investigation of the incident, you can access the Investigate > Events.

    1. In the Indicators panel, Events List, or the Nodal Graph, left or right click any underlined entity to access a context tooltip.
    2. In the context tooltip panel, select Pivot to Investigate.
      The Events view opens, which enables you to perform a deep dive investigation.

    For more information, see the NetWitness Investigate User Guide. For troubleshooting information with the Investigate > Events link see the Alerting with ESA Correlation Rules User Guide.

    Pivot to the Hosts or Files View

    For a more thorough investigation about specific Hosts and Files, you can access the Hosts and Files views.

    1. In the Indicators panel, Events List, or the Nodal Graph, hover over any entity to access a context tooltip.
    2. In the context tooltip panel, select Pivot to Investigate > Hosts/Files.
      If you hover over a host or IP or MAC address entity and click Pivot to Investigate > Hosts/Files, it displays the Hosts view with a specific host listed.
      If you hover over a filename or file hash entity and click Pivot to Investigate > Hosts/Files it displays the Files view with a specific file listed.

    Note: By default, the search for entities is on the previously selected Endpoint Server. However, you can select a different Endpoint Server to fetch the information or data.

    For more information, see the NetWitness Investigate User Guide.

    Pivot to NetWitness Endpoint Thick Client

    If you have the NetWitness Endpoint thick client application installed, you can launch it through the context tooltip. From there, you can further investigate a suspicious IP address, Host, or MAC address.

    1. In the Indicators panel, Events List, or the Nodal Graph, hover over any underlined entity to access a context tooltip.
    2. In the context tooltip panel, select Pivot to Endpoint Thick Client.
      The NetWitness Endpoint thick client application opens outside of your web browser.

    For more information on the thick client, see the NetWitness Endpoint User Guide.

    Pivot to Archer

    For viewing more details about the device in Archer Cyber Incident & Breach Response, you can pivot to the device details page. This information is displayed only for IP address, host, and Mac address.

    1. In the Indicators panel, Events List, or the Nodal Graph, left or right click any underlined entity (IP address, host, and Mac address) to access a context tooltip.
    2. In the context tooltip panel, select Pivot to Archer.
      netwitness_pivottoarcher1_366x298.png
    3. The device details page in Archer Cyber Incident & Breach Response opens if you are logged in to the application, otherwise the login screen is displayed.

    netwitness_archerdevicedetails_768x372.png

    Note: The Pivot to Archer link is disabled when Archer data is not available or when the Archer Datasource is not responding. Check that the Archer configuration is enabled and configured properly.

    For more information, see the NetWitness Archer Integration Guide.

    View Event Analysis Details for Indicators

    In the Incident Details view Indicators panel, you can drill deeper into the events associated with the listed indicators to get a better understanding of the events. In the Events panel, you can view raw events and metadata with interactive features that enhance your ability to find meaningful patterns in the data. You can examine network, log, and endpoint events in the Events panel. The Events panel in the Respond view shows the Events view from Investigate for specific indicator events. For detailed information about the Events view, see the NetWitness Investigate User Guide.

    Note: You must have the following Investigate-server permissions to view the Events panel in the Respond view:
    event.read
    content.reconstruct
    content.export

    The Events view requires all Core services to be on NetWitness Platform 11.4 or later.

    The version listed in the note above should be the current version minus one.

    Migration Considerations

    Migrated incidents from NetWitness versions before 11.2 will not show the Events panel in the Respond Incident Details view Indicators panel. Likewise, if you use alerts that were migrated from versions before 11.2 to create incidents in 11.5, you will also not be able to view the Events panel in the Respond view for those incidents.

    To access event analysis details for an event in the Indicators panel:

    1. Go to Respond > Incidents.
    2. In the Incidents List view, choose an incident to view and then click the link in the ID or NAME column for that incident.
      The Incident Details view is displayed.
    3. In the left panel of the Incident Details view, go to the Indicators tab.
      netwitness_12.1_viewea1_1122_768x410.png
      Data source information is shown above the names of the indicators. You can also see the creation date and time as well as the number of events in the indicator. If event analysis (EA) information is available, you can see an EA icon in front of the event count as shown in the following figure.
      netwitness_viewea2.png
    4. Click an event count with an EA icon to view additional event information.
      netwitness_viewea3.png
    5. Click an event type hyperlink within the event to open the Events panel. In the following example, the event type is Network.
      netwitness_viewea4.png
      The Events panel shows event details for the event, such as packet analysis details. The information available can vary based on the event type.
      netwitness_12.1_viewea5_1122_768x409.png
      For detailed information about the Events view, see the NetWitness Investigate User Guide.

    Note: If you want to send the Events URL link to another analyst, you can copy the event type hyperlink, for example Network.

    View User Entity Behavior Analytics for Indicators

    NetWitness UEBA (User and Entity Behavior Analytics) is an advanced analytics solution for discovering, investigating, and monitoring risky behaviors across all users and entities in your network environment. You can access UEBA from the Respond Incident Details view Indicators panel. Indicators with a User Entity Behavior Analytics hyperlink have additional UEBA information available. For detailed information about UEBA, see the NetWitness UEBA User Guide.

    netwitness_12.1_eventdetailsueba_1122_768x360.png

    Document Steps Taken Outside of NetWitness

    The journal shows notes added by analysts and it enables you to collaborate with your peers. You can post notes to a journal, add Investigation Milestone tags (Reconnaissance, Delivery, Exploitation, Installation, Command and Control, Action on Objective, Containment, Eradication, and Closure), and view the history of activity on your incident.

    View the Journal Entries for an Incident

    The Journal is on the right side of the Incident Details view.

    netwitness_12.1_incdetjournalred_1122_576x296.png
    If you do not see the Journal, in the toolbar, click Journal & Tasks.

    netwitness_12.1_incdetvwnodalred_1122_576x295.png

    The Journal shows the history of activity on an incident. For each journal entry, you can see the author and time of the entry.
    netwitness_journalpnlql2_288x660.png

    Add a Note

    Typically, you will want to add a note to allow another analyst to understand the incident, or add a note for posterity so that your investigative steps are documented.

    1. At the bottom of the Journal panel, type your note in the New Journal Entry box.
      netwitness_newjrnlentryex1_384x206.png
    2. (Optional) Select an Investigation Milestone from the drop-down list (Reconnaissance, Delivery, Exploitation, Installation, Command and Control, Action On Objective, Containment, Eradication, and Closure).

    3. After you finish your note, click, Submit.
      Your new journal entry appears in the Journal.
      netwitness_12.1_newjrnlentrysubmit_1122_576x295.png

    Delete a Note

    1. In the Journal panel, locate the journal entry that you would like to delete.
    2. Click the trash can (delete) icon netwitness_ic-trashcan.png next to the journal entry.
      netwitness_jrnldelete_384x119.png
    3. In the confirmation dialog that appears, click OK to confirm that you want to delete the journal entry. This action cannot be reversed.