View a Summary of Alerts

In the Repond view, you can browse through various alerts from multiple sources. You can filter the alerts list to show only alerts of interest, such as by Alert Name, alert source, and a specific time range from the following sources:

  1. Detect AI
  2. Endpoint
  3. Event Stream Analysis
  4. Malware Analysis
  5. NetWitness Investigate
  6. Reporting Engine
  7. Risk Scoring
  8. User Entity Behavior Analysis
  9. Web Threat Detection

Perform the following steps to use the functionalities provided in the Respond view.

  1. Go to Respond > Alerts.
    The Respond Alerts List view displays a list of all NetWitness alerts.

  2. In the Filters panel on the left, you can filter the alerts list to view specific alerts for a specific time frame. For example, in the Alert Names section, you can select an alert for an ESA rule, such as Direct Login to an Administrative Account, and leave the Time Frame set to Last Hour.
    The alerts list to the right shows a list of alerts that match your filter selection along with a count of the alerts at the bottom of the alerts list.
    The alerts list shows information about each of the alerts.
    • Created: Displays the date and time when the alert was created in the source system.
    • Severity: Displays the level of severity of the alert. The values are from 1 to 100.
    • Name: Displays a basic description of the alert.
    • Source: Displays the original source of the alert.
    • # of Events: Indicates the number of events contained within an alert.
    • Host Summary: Displays details of the host, like the host name from where the alert was triggered.
    • Incident ID: Shows the incident ID of the alert. If there is no incident ID, the alert does not belong to an incident.
  3. You can click an alert in the list to open an Overview panel on the right where you can view raw alert metadata.

For more information about filtering alerts and viewing alert details, see the NetWitness Respond User Guide.