Incidents List View
The Incidents List view (Respond > Incidents) shows Incident Responders and other Analysts a prioritized results list of incidents created from various sources. For example, your results list could show incidents created from ESA rules or NetWitness Endpoint. From the Incidents List view, you have easy access to the information that you need to quickly triage and manage incidents through completion.
Workflow
This workflow shows the high-level process that Incident Responders use to respond to incidents in NetWitness.
In the Incidents List view, you can review the list of prioritized incidents, which shows basic information about each incident. You can also change the assignee, priority, and status of the incidents. Because the results can be large in the incidents list, you have the option to filter those incidents by time range, incident ID, custom date range, priority, status, assignee, and categories.
What do you want to do?
| Role | I want to ... | Show me how |
|---|---|---|
|
Incident Responders, Analysts, and SOC Manager |
View prioritized incidents* | |
|
Incident Responders, Analysts, and SOC Manager |
Filter and sort the incident list* | Filter the Incident List |
| Incident Responders, Analysts | View my incidents* | View My Incidents |
| Incident Responders, Analysts | Assign incidents to myself* | Assign Incidents to Myself |
|
Incident Responders, Analysts, and SOC Manager |
Find Incidents* | Find an Incident |
|
Incident Responders, Analysts, and SOC Manager |
Send an incident to Archer Cyber Incident & Breach Response or update an incident.* |
|
| Incident Responders, Analysts | View incident details. | |
| Incident Responders, Analysts | Further Investigate an incident. | Investigate the Incident |
| Incident Responders, Analysts, and SOC Manager | Create a task. | Escalate or Remediate the Incident |
*You can complete these tasks here (that is, in the Incidents List view).
Related Topics
Quick Look
The following example shows the initial Incidents List view with the Filter panel. You can open the Overview panel for an incident by clicking an incident in the Incident List.
| 1 | Filters Panel |
| 2 | Incidents List |
| 3 | Overview Panel |
You can go directly to the Incident Details view from the Incidents List by clicking the hyperlinked ID or NAME. The Overview panel is also available in the Incident Details view. For more information about the Incidents Details view, see Incident Details View.
Incidents List View
To access the Incidents List view, go to Respond > Incidents. The Incidents List view displays a list of all incidents. The Incidents List view consists of a Filters panel, an Incidents List, and an Incidents Overview panel.
The following figure shows the Filter Panel on the left and the Incidents List on the right.
The following figure shows the incident Overview panel on the right.
Incidents List
The Incidents List shows a list of all of the prioritized incidents. You can filter this list to show only incidents of interest.
| Column | Description |
|---|---|
| Created | Shows the creation date of the incident. |
| Priority | Shows the incident priority. Priority can be Critical, High, Medium, or Low.
The Priority is color coded, where red indicates a Critical incident, orange represents a High risk incident, yellow indicates a Medium risk incident, and green represents a Low risk incident. For example: |
| Risk Score |
Shows the incident risk score. The risk score indicates the risk of the incident as calculated by an algorithm and is between 0-100. 100 is the highest risk score. |
| ID | Shows the automatically created incident number. Each incident is assigned a unique number that you can use to track the incident. |
| Name | Shows the incident name. The incident name is derived from the rule used to trigger the incident. Click the link to go to the Incident Details view for the selected incident. |
| Status |
Shows the incident status. The status can be: Reopen, New, Assigned, In Progress, Task Requested, Task Complete, Closed, and Closed-False Positive. |
| Assignee | Shows the team member currently assigned to the incident. |
| Alerts | Shows the number of alerts associated with the incident. An incident may include many alerts. A large number of alerts might mean that you are experiencing a large-scale attack. |
| MITRE ATT&CK Tactics |
Shows the particular Tactic associated with each Incident. For example: Credential Access. For more information on MITRE ATT&CK Tactics, see Use MITRE ATT&CK® Framework topic. |
At the bottom of the list, you can see the number of incidents on the current page, the total number of incidents, and the number of incidents selected. For example: Showing 1000 out of 2517 items | 2 selected. The maximum number of incidents that you can view at one time is 1,000.
Incident Filters Panel
The following figure shows the filters available in the Filters panel.
The Filters panel, on the left of the Incidents List view, has options that you can use to filter the incidents list. When you navigate away from the Filters panel, the Incidents List view retains your filter selections.
| Option | Description |
|---|---|
| Saved Filters | You can select a saved filter to filter the incident list. Saved filters are global. You can save a filter for other analysts to use and you can use any saved filter. Saved filters are also available for use on the Springboard landing page. Filters used in the Springboard cannot be deleted. (This option is available in NetWitness Platform 12.2 and later.) |
| Time Range | You can select a specific time period from the Time Range drop-down list. The time range is based on the received date of the alerts. For example, if you select Last Hour, you can see alerts that were received within the last 60 minutes. |
| Custom Date Range | You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of Custom Date Range to view the Start Date and End Date fields. Select the dates and times from the calendar. |
| Incident ID | Type the number of the incident that you would like to locate. For example, for INC-1050, type only the number "1050" to view the incident. |
| Incident Name |
Enter the exact name of the Incident or a part of it to filter the list of required incidents. Select one of the following options to filter the list of required Incidents:
|
| Priority | Select the priorities that you would like to view. |
| Status | Select one or more incident statuses. For example, select Closed - False Positive to view only false positive incidents, which were initially identified as suspicious, but then they were later found to be safe. |
| Assignee | Select the assignee or assignees of the incidents that you would like to view. For example, if you only want to view the incidents assigned to Cale or Stanley, select Cale and Stanley from the Assignee drop-down list. If you want to view incidents regardless of the assignee, do not make a selection under Assignee. (Available in the latest NetWitness Versions) To view only unassigned incidents, select Show only unassigned incidents. |
| Categories | Select one or more categories from the drop-down list. For example, if you only want to view incidents classified with the Backdoor or Privilege abuse categories, select Backdoor and Privilege abuse. |
| MITRE ATT&CK Tactics | Select the tactic associated with the incident. |
| MITRE ATT&CK Techniques | Select the technique associated with the incident. |
| Sent to Archer | (If Archer is configured as a data source in Context Hub, you can send incidents to Archer Cyber Incident & Breach Response and this option will be available in NetWitness Respond.) To view incidents that were sent to Archer, select Yes. For incidents that were not sent to Archer, select No. |
| Reset | Removes your filter selections. If you reset filters on a saved filter, it takes you to the default empty filter. |
| Save | Saves the currently applied incidents filter or updates a saved filter. For a new filter, choose a unique name that contains 1-256 alphanumeric characters, underscores, or hyphens. (This option is available in the latest NetWitness versions.) |
| Save As | Saves the currently applied incidents filter for future use. Choose a unique name that contains 1-256 alphanumeric characters, underscores, or hyphens. (This option is available in the latest NetWitness versions.) |
Incident Overview PanelIncident Overview Panel
The Overview panel shows basic summary information about a selected incident. From the Incidents List, you can click an incident to access the Overview panel. The Overview panel in the Incident Details view contains the same information.
The following table lists the fields displayed in the Incident Overview panel.
|
Field |
Description |
|---|---|
| <Incident ID> | Displays the Incident ID. |
| Send to Archer / Sent to Archer | (If Archer is configured as a data source in Context Hub, you can escalate incidents to Archer Cyber Incident & Breach Response and this option will be available in NetWitness Respond.) Shows whether the incident was sent to Archer Cyber Incident & Breach Response:
|
| <Incident Name> | Displays the name of the incident. You can click the incident name to change it. For example, rules can create many incidents with the same name. You can change the incident names to be more specific. |
| Created | Shows the creation date and time of the incident. |
| Rule / By | Shows the name of the rule that created the incident or the name of the person who created the incident. |
| RiskScore | Shows a value between 0 and 100 that indicates the risk of the incident as calculated by an algorithm. 100 is the highest risk score. |
| Priority | Shows the incident priority. Priority can be Critical, High, Medium or Low. To change the priority, you can click the Priority button and select a new priority from the drop-down list. |
| Status | Shows the incident status. The status can be Reopen, New, Assigned, In Progress, Task Requested, Task Complete, Closed, and Closed - False Positive. To change the status, you can click the Status button and select a new status from the drop-down list. |
| Assignee | Shows the team member currently assigned to the incident. To change the assignee you can click the Assignee button and select a new assignee from the drop-down list. |
| Sources | Displays the data sources used to locate the suspicious activity. |
| Categories | Displays the categories of the incident events. |
| Catalysts | Displays the count of indicators that gave rise to the incident. |
|
External ID |
Allows storing the Incident ID referrals from a different platform. Note: Click Send to Archer to generate the External ID. The ID generated is automatically stored as External ID. |
| Time to Acknowledge | Displays the time taken to assign an Incident after creating it. |
|
Time to Detect |
Displays the time taken for completing the task after the Incident is assigned. |
| Time to Resolve | Displays the time taken for closing the task after the Incident is created. |
|
Persisted Status |
Displays the persist status of the Incident. The status can be Complete, Partial, or None (-). |
| MITRE ATT&CK Tactics
|
Displays the tactic associated with the incident. |
| MITRE ATT&CK Techniques |
Displays the technique associated with the incident. |
Toolbar Actions
This table lists the toolbar actions available in the Incidents List view.
| Option | Description |
|---|---|
 |
Enables you to open the Filters panel so that you can specify the incidents that you would like to see in the Incidents List. |
|
|
Closes the panel. |
| Change Priority button | Allows you to change the Priority of one or more selected incidents in the Incidents List. |
| Change Status button | Allows you to change the Status of one or more selected incidents. |
| Change Assignee button | Allows you to change the Assignee of one or more selected incidents. |
| Delete button | Allows you to delete the selected incidents if you have the appropriate permissions, such as an Administrator or Data Privacy Officer. |
| Retention Usage button | Allows an analyst to fetch all the stats of all the configured services and the percentage used by the pinned cache directories. |
