Reviewing Alerts

NetWitness enables you to view a consolidated list of threat alerts generated from multiple sources in one location. You can find these alerts in the Respond > Alerts view. The source of the alerts can be ESA correlation rules, NetWitness Endpoint, Detect AI, Malware Analysis, Reporting Engine, Risk Scoring, as well as many others. You can see the source of the alerts, the alert severity, and additional alert details.

Note: ESA correlation rule alerts can ONLY be found in the Respond > Alerts view.

To better manage a large number of alerts, you have the ability to filter the alerts list based on criteria that you specify, such as severity, time range, and alert source. For example, you may want to filter the alerts to only show those alerts with a severity between 90 and 100 that are not already part of an incident. You can then select a group of alerts to create an incident or add to an existing incident.

You can perform the following procedures to review and manage alerts:

• View Alerts
• Filter the Alerts List
• Remove My Filters from the Alerts List
• Save the Current Alerts Filter
• Update a Saved Alerts Filter
• Delete a Saved Alerts Filter
• View Alert Summary Information
• View Event Details for an Alert
• Investigate Events
• Create an Incident Manually
• Add Alerts to an Incident
• Delete Alerts

View AlertsView Alerts

In the Alerts List view, you can browse through various alerts from multiple sources, filter them, and group them to create incidents. This procedure shows you how to access the alerts list.

1. Go to Respond > Alerts.
   The Alerts List view displays a list of all NetWitness alerts.
   
2. Scroll through the alerts list, which shows basic information about each alert as described in the following table.

Column	Description
Created	Displays the date and time when the alert was recorded in the source system.
Severity	Displays the level of severity of the alert. The values are from 1 through 100.
Name	Displays a basic description of the alert.
Source	Displays the original source of the alert. The source of the alerts can be NetWitness Endpoint, Detect AI, Malware Analysis, Event Stream Analysis (ESA Correlation Rules), Reporting Engine, Web Threat Detection, Risk Scoring, and many others. Note: In NetWitness Platform 11.3 and later, the Endpoint source includes Endpoint alerts from all NetWitness Endpoint versions. If one of the events in an alert has a device_type of nwendpoint, the source changes to Endpoint.
# Events	Indicates the number of events contained within an alert. This varies depending on the source of the alert. For example, NetWitness Endpoint and Malware Analysis alerts always have one Event. For certain types of alerts, a high number of events may mean that the alert is more risky.
Host Summary	Displays details of the host like the host name from where the alert was triggered. The details may include information about the source and destination hosts in an Alert. Some alerts may describe events across more than one host .
Incident ID	Shows the Incident ID of the alert. If there is no incident ID, the alert does not belong to any incident and you can create an incident to include this alert or the alert can be added to an existing incident.
MITRE ATT&CK Tactics	Shows the particular Tactic associated with each alert.

At the bottom of the list, you can see the number of alerts on the current page and the total number of alerts. For example: Showing 1000 out of 2069 items

Filter the Alerts ListFilter the Alerts List

The number of alerts in the Alerts List can be very large, making it difficult to locate particular alerts. The Filter enables you to view the alerts you want to see, for example, alerts from a particular source, alerts of a particular severity, alerts that are not part of an incident, and so on.

1. Go to Respond > Alerts.
   The Filters panel appears to the left of the Alerts list. If you do not see the Filters panel, in the Alerts List view toolbar, click , which opens the Filters panel.
   
2. In the Filters panel, select one or more options to filter the alerts list:
   • Time Range: You can select a specific time period from the Time Range drop-down list. The time range is based on the date that the alerts were received. For example, if you select Last Hour, you can see alerts that were received within the last 60 minutes.
   • Custom Date Range: You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of Custom Date Range to view the Start Date and End Date fields. Select the dates and times from the calendar.
     
   • Type: Select the type of events in the alert to view, for example, logs, network sessions, and so on. In NetWitness Platform 11.3 and later, if one of the events in an alert has a device_type of nwendpoint, Endpoint is included in the Type field.
   • Source: Select one or more sources to view alerts triggered by the selected sources. For example, to view NetWitness Endpoint alerts only, select Endpoint as the source. In NetWitness Platform 11.3 and later, the Endpoint source includes Endpoint alerts from all NetWitness Endpoint versions. If one of the events in an alert has a device type of nwendpoint, the source changes to Endpoint. A Risk Scoring source is available in NetWitness Platform 11.3 and later. NetWitness Respond automatically creates incidents from alerts that are over the specified file and host alert thresholds for risk score. For more information, see the NetWitness Respond Configuration Guide.
   • Severity: Select the the level of severity of the alerts to view. The values are from 1 through 100. For example, to concentrate on the highest severity alerts first, you may want to view only those alerts with a severity from 90 to 100.
   • Part of Incident: To view only alerts that are not part of an incident, select No. To view only alerts that are part of an incident, select Yes. For example, when you are ready to create an incident from a group of alerts, you can select No to view only those alerts that are not currently part of an incident.
   • Alert Names: Select the name of the alert to view. You can use this filter to search for all alerts generated by a specific rule, for example, Direct Login to an Administrative Account.
   • MITRE ATT&CK Tactics: Select the tactic associated with the alert.
   • MITRE ATT&CK Techniques: Select the technique associated with the alert.

   The Alerts List shows a list of alerts that meet your selection criteria. You can see the number of items in your filtered list at the bottom of the alerts list.
   For example: Showing 30 out of 30 items

3. If you want to close the Filters panel, click X. Your filters remain in place until you remove them.

Remove My Filters from the Alerts List Remove My Filters from the Alerts List

NetWitness remembers your filter selections in the Alerts List view. You can remove your filter selections when you no longer need them. For example, if you are not seeing the number of alerts that you expect to see or you want to view all of the alerts in your alerts list, you can reset your filters.

1. Go to Respond > Alerts.
   The Filters panel appears to the left of the alerts list. If you do not see the Filters panel, in the Alerts List view toolbar, click , which opens the Filters panel.
2. At the bottom of the Filters panel, click Reset Filters.

Save the Current Alerts FilterSave the Current Alerts Filter

Note: This option is available in NetWitness Platform Version 11.5 and later.

Saved filters provide a way for analysts to save and quickly apply specific filter conditions to the list of alerts. You can also use these filters to customize the Springboard landing page. For example, you may want to create a filter to show only alerts from a specific source and severity level over the last 24 hours. (This option is available in NetWitness Platform 11.5 and later.)

Saved filters are global. You can save a filter for other analysts to use and you can use any saved filter.

1. In the Filters panel, select one or more options to filter the incidents list. For example, in the Time Range field select Last 24 Hours, in the Source field select Endpoint, and for Severity, select the 90 to 100 range.
2. Click Save As and in the Save Filter dialog, enter a unique name for the filter and save it, for example Last24Hours-Endpt_Sev90-100.
   
   The filter is added to the Saved Filters list.
   

Update a Saved Alerts FilterUpdate a Saved Alerts Filter

Note: This option is available in NetWitness Platform Version 11.5 and later.

1. In the Filters panel Saved Filters drop-down list, select a saved filter.
2. Update your filter selections and click Save.

Delete a Saved Alerts FilterDelete a Saved Alerts Filter

Note: This option is available in NetWitness Platform Version 11.5 and later.

When a saved filter is no longer required, you can remove it from the saved filters list. Filters used in the Springboard cannot be deleted.

1. In the Filters panel, open the Saved Filters drop-down list.
   
2. Next to the filter name, click to delete it.

View Alert Summary InformationView Alert Summary Information

In addition to viewing basic information about an alert, you can also view raw alert metadata in the Overview panel.

1. In the Alerts list, click the alert that you want to view.
   The Alert Overview panel appears to the right of the Alerts list.
   
2. In the Overview panel Raw Alert section, you can scroll to view the raw alert metadata.
   

View Event Details for an AlertView Event Details for an Alert

After you review the general information about the alert in the Alerts List view, you can go to the Alert Details view for more detailed information to determine the action required. An alert contains one or more events. In the Alert Details view, you can drill down into an alert to get additional event details and further investigate the alert. The following figure shows an example of the Alert Details view.

The Overview panel on the left has the same information for an alert as the Overview panel in the Alerts List view.

The Events panel on the right shows information about the events in the alert, such as event time, source IP, destination IP, detector IP, source user, destination user, and file information about the events. The amount of information listed depends on the event type.

There are two types of events:

• A transaction between two machines (a Source and a Destination)
• An anomaly detected on a single machine (a Detector)

Some events will only have a Detector. For example, NetWitness Endpoint finds malware on your machine. Other events will have a Source and Destination. For example, packet data shows communication between your machine and a Command and Control (C2) domain.

You can drill further into an event to get detailed data about the event.

To View the Event Details for an Alert:

1. To view event details for an alert, in the Alerts List view, choose an alert to view and then click the link in the Name column for that alert.
   
   The Alerts Details view shows the Overview panel on the left and the Events panel on the right.
   
   The Events panel shows a list of events with information about each event. The following table shows some of the columns that can appear in the Events List (Events Table).

Column	Description
Time	Shows the time the event occurred.
Type	Shows the type of alert, such as Log and Network.
Source IP	Shows the source IP address if there was a transaction between two machines.
Destination IP	Shows the destination IP address if there was a transaction between two machines
Detector IP	Shows the IP address of the machine where an anomaly was detected.
Source User	Shows the user of the source machine.
Destination User	Shows the user of the destination machine.
File Name	Shows the file name if a file is involved with the event.
File Hash	Shows a hash of the file contents.

If there is only one event in the list, you see only the event details for that event instead of a list.

2. Click an event in the Events list to view the Event details.
   This example shows the event details for the first event in the list.
   
3. Use the page navigation to the right of the Back To Table button to view other events. This example shows the event details for the last event in the list.
   

See Alert Details Panel for detailed information about the event data listed in the Alert Details panel.

Investigate EventsInvestigate Events

To further investigate the events, you can find links that take you to additional contextual information. From there, you have options available depending on your selection.

View Contextual InformationView Contextual Information

In the Alert Details view, you can see underlined entities in the Events panel. An underlined entity is considered an entity in the Context Hub and has additional contextual information available. The following figure shows underlined entities in the Events list.

The following figure shows an underlined entity in the Event Details.

The Context Hub is preconfigured with meta fields mapped to the entities. NetWitness Respond and NetWitness Investigate use these default mappings for context lookup. For information about adding meta keys, see "Configure Settings for a Data Source" in the Context Hub Configuration Guide.

Caution: For the Context Lookup to work correctly in the Respond and Investigate views, NetWitness recommends that when mapping meta keys in the (missing or bad snippet) > System > Investigation > Context Lookup tab, you add only meta keys to the Meta Key Mappings, not fields in the MongoDB. For example, ip.address is a meta key and ip_address is not a meta key (it is a field in the MongoDB).

To View Contextual Information:

1. In the Alert Details view Events List or Event Details, left or right click an underlined entity.
   A context tooltip appears with a quick summary of the type of context data that is available for the selected entity.
   .
   The information in the Context Highlights section helps you to determine the actions that you would like to take. It shows the number of related alerts and incidents. It can show related data for Incidents, Alerts, Lists, Endpoint, Criticality, Asset Risk, Reputation, and Threat Intelligence (TI). Depending on your data, you may be able to click these numbered items for more information. The above example shows 1 related incidents, 1 related alerts, and one list associated with the selected IP address. There is no information for Endpoint, , Criticality, or Asset Risk. TI information comes from the STIX data source configured in Context Hub. For more information, see the Context Hub Configuration Guide.

The other section lists the available actions. In the above example, the Add/Remove From List, Pivot to Investigate, Pivot to Investigate > Hosts/Files, Pivot to Endpoint Thick Client, and and Pivot to Archer options are available.

Note: The Pivot to Archer link is disabled when Archer data is not available or when the Archer Datasource is not responding. Check that the Archer configuration is enabled and configured properly.

For more information, see Pivot to the Investigate > Navigate View, Pivot to the Hosts or Files View, Pivot to Archer, Pivot to Endpoint Thick Client, and Add an Entity to a Whitelist.

2. To see more details about the selected entity, click the View Context button.
   The Context panel opens and shows all of the information related to the entity.
   Context Lookup Panel - Respond View provides additional information.

Add an Entity to a WhitelistAdd an Entity to a Whitelist

You can add any underlined entity to a list, such as a Whitelist or Blacklist, from a context tooltip. For example, to reduce false positives, you may want to whitelist an underlined domain to exclude it from the related entities.

1. In the Alert Details view Events List or Event Details, left or right click the underlined entity that you would like to add to a Context Hub list.
   A context tooltip appears showing the available actions.
   
2. In the Actions section of the tooltip, click Add/Remove from List.
   The Add/Remove From List dialog shows the available lists.
   
3. Select one or more lists and click Save.
   The entity appears on the selected lists.
   Add/Remove from List Dialog provides additional information.

Create a WhitelistCreate a Whitelist

You can create a whitelist in the Context Hub in the same way as you would create it in the Incident Details view, see Create a List.

Pivot to the Investigate > Navigate ViewPivot to the Investigate > Navigate View

For a more thorough investigation of the incident, you can access the Investigate > Navigate view.

1. In the Events List or Event Details in the Alert Details view, hover over any underlined entity to access a context tooltip.
2. In the Actions section of the tooltip, select Pivot to Investigate > Navigate.
   The Navigate view opens, which enables you to perform a deeper dive investigation.

For more information, see the NetWitness Investigate User Guide. For troubleshooting information with the Investigate > Navigate link see the Alerting with ESA Correlation Rules User Guide.

Pivot to the Hosts or Files ViewPivot to the Hosts or Files View

For a more thorough investigation about specific Hosts and Files, you can access the Hosts and Files views.

1. In the Events List or Event Details in the Alert Details view, left or right click any entity to access a context tooltip.
2. In the tooltip, select Pivot to Investigate > Hosts/Files.
   If you left or right click a host or IP or MAC address entity and click Pivot to Investigate > Hosts/Files, it displays the Hosts view with a specific host listed.
   If you left or right click a filename or file hash entity and click Pivot to Investigate > Hosts/Files it displays the Files view with a specific file listed.

Note: By default, the search for entities is on the previously selected Endpoint Server. However, you can select a different Endpoint Server to fetch the information or data.

For more information, see the NetWitness Investigate User Guide.

Pivot to Endpoint Thick ClientPivot to Endpoint Thick Client

If you have the NetWitness Endpoint thick client application installed, you can launch it through the context tooltip. From there, you can further investigate a suspicious IP address, Host, or MAC address.

1. In the Events List or Event Details in the Alert Details view, hover over any underlined entity to access a context tooltip.
2. In the Actions section of the tooltip, select Pivot to Endpoint Thick Client.
   The NetWitness Endpoint thick client application opens outside of your web browser.

For more information on the thick client, see the NetWitness Endpoint User Guide.

Pivot to ArcherPivot to Archer

For viewing more details about a device in Archer Cyber Incident & Breach Response, you can pivot to the device details page. This information is displayed only for IP address, host, and Mac address.

1. In the Events List or Event Details in the Alert Details view, left or right click any underlined entity to access a context tooltip.
2. In the Actions section, select Pivot to Archer.
   
3. The device details page in Archer Cyber Incident & Breach Response opens if you are logged in to the application, otherwise the login screen is displayed.

Note: The Pivot to Archer link is disabled when Archer data is not available or when the Archer Datasource is not responding. Check that the Archer configuration is enabled and configured properly.

For more information, see the NetWitness Archer Integration Guide.

Create an Incident ManuallyCreate an Incident Manually

You can create incidents manually from alerts in the Alerts List view. The alerts that you select cannot be part of another incident.

In NetWitness Version 11.2 and later, you can change the assignee, category, and priority when you create an incident manually from alerts.

In NetWitness Version 11.1, incidents created manually from alerts default to Low priority, but you can change the priority after you create it. You cannot add categories to manually created incidents in version 11.1.

Note: Incidents can be created manually or automatically. An Alert can only be associated with one Incident. You can create incident rules to analyze the alerts collected and group them into incidents depending on which rules they match. For details, see the "Create an Incident Rule for Alerts" topic in the NetWitness Respond Configuration Guide.

To Create an Incident Manually:

1. Go to Respond > Alerts.

2. Select one or more alerts in the Alerts List.

   Note: Selecting alerts that do not have incident IDs enable the Create Incident button. If the alert is already part of an incident, the button is disabled. You can filter alerts that are not part of an incident by selecting the option Part of Incidents as No in the Filters panel.

   

3. Click Create Incident.

   The Create Incident dialog is displayed.

   

4. In the Incident Name field, type a name to identify the incident. For example, Investigate - Hacking.
5. In the Priority field, select a priority for the incident. The priority defaults to Low.
6. (Optional) If you are ready to assign the incident, in the Assignee field, select a specific user.
7. (Optional) In the Categories field, you can select a category to classify the incident, such as Hacking: Use of stolen creds. This is also helpful when trying to locate the incident later using the incidents filter.

8. Click OK.
   You can see a confirmation message that an incident was created from the selected alerts. The new incident ID appears as a link in the INCIDENT ID column of the selected alerts.
   
   
   If you click the link, it takes you to the Incident Details view for that incident, where you can update information, such as changing Priority to high or assigning the incident to another user. The following figure shows the Incident Details view Overview panel for the new incident.
   

Add Alerts to an IncidentAdd Alerts to an Incident

Note: This option is available in NetWitness Version 11.1 and later.

If you have alerts that fit a particular existing incident, you do not have to create a new incident. Instead, you can add alerts to that incident from the Alerts List view. The alerts that you select cannot be part of another incident.

1. Go to Respond > Alerts.

2. In the Alerts List, select one or more alerts that you want to add to an incident, and click Add to Incident.

   Note: Selecting alerts that do not have incident IDs enables the Add to Incident button. If the alert is already part of an incident, the button is disabled. You can filter alerts that are not part of an incident by selecting the option Part of Incident as No in the Filters panel.

   

3. In the Add to Incident dialog, type at least three characters in the Search field to search for the incident by Name or Incident ID.
   
4. In the results list, select the incident that will receive the selected alerts and click OK.
   
   The selected alert or alerts are now part of the selected incident and will have that incident ID.
   

Delete AlertsDelete Alerts

Users with the appropriate permissions, such as Administrators and Data Privacy Officers, can delete alerts. This procedure is helpful when you want to remove unnecessary or non-relevant alerts. Deleting these alerts frees up disk space.

1. Go to Respond > Alerts.
   The Alerts List view displays a list of all NetWitness alerts.
2. In the Alerts list, select the alerts that you want to delete and click Delete.
   
   If you do not have permission to delete alerts, you will not see the Delete button.
3. Confirm that you want to delete the alerts and click OK.
   
   The alerts are deleted from NetWitness. If a deleted alert is the only alert in an incident, the incident is also deleted. If the deleted alert is not the only alert in an incident, the incident is updated to reflect the deletion.