Skip to content
  • There are no suggestions because the search field is empty.

Incident Details View

Incident Details View

In the Incident Details view (Respond > Incidents > click an ID or NAME hyperlink in the Incidents List), you can view and access extensive incident details. The Incident Details view contains multiple panels that provide the following benefits:

  • Overview: View an incident summary and update the incident.
  • Indicators: View the indicators (alerts) involved in the incident, the events within those alerts, and available enrichment information. You can also access Event Analysis details for some events and perform event reconnaissance.
  • Related Indicators: View indicators (alerts) that are related to the incident and add them to the incident if they are not associated with an incident.
  • History: View all the actions performed by the user on any incident.
  • Nodal Graph: Visualize the size and interactions between entities (IP address, MAC address, user, host, domain, file name, or file hash).
  • Events List: Study the events associated with the incident.
  • Journal: Add notes and collaborate with other analysts.
  • Tasks: Create incident tasks and track them to closure.

You can also filter the data in the Incident Details view to study indicators and entities of interest.

Workflow

This workflow shows the high-level process that Incident Responders use to respond to incidents in NetWitness.

netwitness_incdetails_ui_wf_576x150.png

In the Incident Details view, you can use the extensive information provided about the incidents to determine which incidents require action. You also have the tools and information to investigate the incident, and then escalate or remediate it.

What do you want to do?

  • Role:

    Incident Responders, Analysts, and SOC Manager

  • I want to ...:

    View prioritized incidents, filter and sort the incident list, find incidents, view my incidents, and assign incidents to myself.

  • Show me how:

    Review Prioritized Incident List


  • Role: Incident Responders, Analysts
  • I want to ...: View incident details.*
  • Show me how: View Incident Details









  • Role: Incident Responders, Analysts
  • I want to ...: View contextual information about an incident from Context Hub.*
  • Show me how: View Contextual Information

  • Role: Incident Responders, Analysts
  • I want to ...: Reduce false positives by adding an entity to a whitelist.*
  • Show me how: Add an Entity to a Whitelist



  • Role: Incident Responders, Analysts, and SOC Manager
  • I want to ...: Send an incident to Archer Cyber Incident & Breach Response.*
  • Show me how: Send an Incident to Archer




*You can complete these tasks here (that is, in the Incident Details view).

Related Topics

Quick Look

The following example shows the locations of the Incident Details view panels.

Incident

Incident

Incident

netwitness_history_view.png

  • Column 1: 1
  • Column 2: Overview (Click the Overview tab to view the Overview panel.)

  • Column 1: 2
  • Column 2: Indicators Panel

  • Column 1: 3
  • Column 2: Related Indicators Panel (Click the Find Related tab to view it.)

  • Column 1: 4
  • Column 2: Nodal Graph

  • Column 1: 5
  • Column 2: Events List (Click the top of an event in the Events List to view event details.)

  • Column 1: 6
  • Column 2: Journal Panel

  • Column 1: 7
  • Column 2: Tasks Panel (Click the Tasks tab to view it.)

  • Column 1: 8
  • Column 2: Events (Click an event type hyperlink in the Indicators panel, such as Network, to view the Events view from Investigate for a specific indicator event.)

  • Column 1: 9
  • Column 2: UEBA (Click a User Entity Behavior Analytics hyperlink in the Indicators panel to view UEBA.)

  • Column 1: 10
  • Column 2: History Panel

Note: Your Incident Details view may not look like these diagrams because the layout changed in NetWitness 11.3.2 and later versions.
The Related tab is renamed as the Find Related tab and is located on the left-side panel.
The journal is open by default on the right-side panel. When the journal is closed, the Journal & Tasks button enables easy access to notes and tasks.

Overview Panel

The Overview panel shows basic summary information about a selected incident. It also allows you to change the incident name and update the incident priority, status, and assignee. The Overview panel in the Incidents List view contains the same information. The Incidents List view Incident Overview Panel topic provides details.

To view the Overview panel in the Incident Details view, click the Overview tab in the left panel.

netwitness_time_to_resolve_incident_overview.png

Indicators Panel

The Indicators panel contains a chronological listing of indicators. Indicators are alerts, such as an ESA alert or a NetWitness Endpoint alert. (This is different than a timeline, which provides a visual representation of the timing of the events in the incident). This listing helps you to connect indicators and notable data. For example, an IP address connected to a command and communication ESA alert might also have triggered a NetWitness Endpoint alert or other suspicious activities.

To view the Indicators panel, in the left panel of the Incident Details view, click the Indicators tab.

netwitness_incdetql9_384x757.png

Data source information is shown below the names of the indicators. You can also see the creation date and time of the indicator and the number of events in the indicator. In the Indicators panel, you can drill deeper into the events associated with the listed indicators to get a better understanding of the events.

Note: The maximum number of indicators (alerts) displayed in the Indicators panel is 1,000.

Related Indicators Panel

The Related Indicators panel enables you to search the NetWitness alerts database to find alerts that are related to this incident. You can add alerts that you find to the incident if they are not already associated with an incident.

To view the Related Indicators panel, in the left panel of the Incident Details view, click the Find Related tab.

netwitness_findalertsrelated_384x809.png

The following table describes the fields in the search section at the top of the panel.

  • Field:

    Find

  • Description:

    Select the entity that you would like to locate in the alerts. For example, IP.


  • Field:

    Value

  • Description:

    Type the value of the entity. For example, type the actual IP address of the entity.


  • Field:

    When

  • Description:

    Select a time range to search for the alerts. For example, Last 24 hours.


  • Field:

    Find button

  • Description:

    Initiates the search. A list of related indicators appear below the Find button in the Indicators for section.


The following table describes the options in the Indicators for (results) section at the bottom of the panel.

  • Option: Indicators For:
  • Description: Shows the search results.

  • Option:

    Open in new window link

  • Description: Shows alert details for the indicator.

  • Option:

    Add To Incident button

  • Description:

    Adds the related indicator to the incident. The related indicator adds to the Indicators panel.


  • Option:

    Part Of This Incident button

  • Description:

    Shows that the indicator is already part of the incident.


History Panel

The History panel displays every action performed by the user on an incident. The various actions performed on an incident are as shown below

  • Incident Assignee Change

  • Incident Status Change

  • Incident Priority Change

  • Incident Creation

Every time a user performs an action on an incident, the date and time also gets recorded and is displayed in the panel. Consider the following example

netwitness_hstry_panel.png

The different actions performed by the user are described below