Skip to content
  • There are no suggestions because the search field is empty.

Responding to Incidents

Responding to IncidentsResponding to Incidents

An Incident is a logically grouped set of alerts created automatically by the Incident Aggregation Engine and grouped by a specific criteria. An incident, available in the Respond view, allows an Analyst to triage, investigate, and remediate these groups of alerts. Incidents can be moved between users, notated, and explored using a nodal graph. Incidents allow users to ensure that they understand the full scope of an attack or event in their NetWitness system and then take action.

The Respond view is designed to help you quickly identify the ongoing issues in your network and work with other Analysts to quickly solve the issues.

The Respond view presents Incident Responders with a queue of incidents in severity order. When you take an incident from the queue, you receive relevant supporting data to help you investigate the incident. This enables you to determine the incident scope so you can escalate or remediate it as appropriate.

Within the Respond view, you can see Incidents, Alerts, and Tasks:

  • Incidents: Enables you to respond to and manage incidents from start to finish.
  • Alerts: Enables you to manage alerts from all sources received by NetWitness and create incidents from selected alerts.
  • Tasks: Enables you to view and manage the complete list of tasks created for all incidents.

If you navigate to Respond > Incidents, you can see the Incidents List view and from there you can access the Incident Details view for a selected incident. These are the main views that you use to respond to incidents. The following figure shows the list of prioritized incidents in the Incidents List view.

netwitness_12.1_inclistview2_1122_960x527.png

The next figure shows an example of details available in the Incident Details view.

netwitness_12.1_incdetvw_1122_960x470.png

The Respond view is designed to make it easy to evaluate incidents, contextualize that data, collaborate with other analysts, and pivot to a deep-dive investigation as needed. The following figure shows an example of an event analysis in the Incident Details view.

netwitness_12.1_incdetea_1122_960x554.png

In NetWitness Version 11.4 and later, alerts and incidents are also displayed in the Springboard by default. Springboard is a landing page for analysts showing them all risks detected by the platform in a single place. For more information on the Springboard, see "Managing the Springboard" in the NetWitness Platform Getting Started Guide. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

netwitness_12.1_analystspringboard_1122_960x531.png

Respond Persist Data Respond Persist Data

The primary objective of this feature is to enable you to investigate events for a longer period of time. When investigating a set of alerts or events, it is important to have the assurance that the underlying data (raw and meta) will be available for both the length of time it takes to run the analysis, and for historical look up. From NetWitness Platform Version 11.6, you can persist events that are associated with particular incidents, thereby enabling you to view the incident in the future, regardless of its age. You can also add a new journal entry in the JOURNAL tab for the persisted events for future reference. The event data will always be available for viewing and reconstruction as long as the event is persisted, enabling you to easily refer back to details, even if the original event has rolled over from the NetWitness database.

Once you persist an event, the data is copied from the NetWitness database into a long term storage cache within the data source. You can persist or suspend persist events per incident or per alert within an incident or a specific event in an alert that belongs to an incident. The roll over in the NetWitness database does not impact the events that are already saved in the long term cache.

You can:

  • You can persist or suspend persist events per incident or per alert within an incident or a specific event in an alert that belongs to an incident.

  • Perform complete event reconstruction for persisted events even after the session is rolled over from the NetWitness database.

  • Filter incidents which has persisted events.

  • Suspend persist of all events associated with an incident, even if only a few events persisted in it.

  • Remove all associated persisted events by deleting an alert or incident.

This topic contains the following basic Respond Persist Data procedures:

Customizing Respond Persist Data Customizing Respond Persist Data

The persisted events are saved in the directory /var/netwitness/pin- , by default. You can manually change the event storage location from the default directory to any other directory, as per the requirement. You can increase the storage space as per your requirement by performing an Network File System (NFS) mount. For more information on how to perform an NFS mount, see Configure the Destination Using NFS.

To customize the persist directory:

1. Go to Admin >Services.
The Services page appears.

2. From the Filter pull down menu, select the concentrator and the log decoder services.
The concentrator and log decoder are listed in the Services page.

3. Go to Actions > View > Explore.
The Explore page appears.

4. Go to sdk > config .

The Configuration page appears.

The following table provides information on the default values for each parameter that are configured in the Configuration page.

  • Column 1: S.No
  • Column 2: Parameter
  • Column 3: Default Value

  • Column 1: 1.
  • Column 2: Long Term Cache Behavior (pin.cache.behavior)
  • Column 3: fail-on-new

  • Column 1: 2.
  • Column 2: Long Term Cache Directory (pin.cache.dir)
  • Column 3: /var/netwitness/pin- ***

  • Column 1: 3.
  • Column 2: Long Term Cache Size (pin.cache.size)
  • Column 3: 10 GB

2. [Optional]*** In the Long Term Cache Directory (pin.cache.dir), enter the path of the custom directory where you want to save the persisted events, if you do not want to use the default location. The default path is /var/netwitness/pin- .

Note: When you install NetWitness Platform for the first time or upgrade to the 11.6 version, the directories are pre-configured with default values.

Working with Incident FiltersWorking with Incident Filters

You can filter incidents based on the persisted events.

To filter incidents:

  1. Go to Respond > INCIDENTS.

The INCIDENT page appears.

2. In the FILTERS tab, the CONTAINS PERSISTED EVENTS menu provides the filters to view incidents based on the persisted events.

  1. Select Yes to view the incidents that contain persisted events.
  2. Select No to view the incidents that do not contain persisted events.

For more information on working with filters, see Filter the Incident List.

netwitness_12.1_incident_filter_1122.png

Persist and Suspend Persist Events Persist and Suspend Persist Events

Persist an event to retain the event and thereby, copy the event data from the regular database into a long-term storage cache within the NetWitness source. Suspend persist the event to delete the event in the long-term storage cache.

  • To persist an event, click the flag listed under each of the event. The selected flag is highlighted, and the message Event Persisted successfully appears.
  • To suspend persist event, click a highlighted flag (persisted event) once again. The selected flag is no longer highlighted, and the message Suspended Event Persist successfully appears.
  • To persist all events in an alert, click the flag at the alert level. The selected flag is highlighted along with all the flags associated with events of the alert.
  • To suspend persist all events in an alert, click the flag at the alert level. The selected flag is highlighted along with all the flags associated with events of the alert.

netwitness_12.1_pinunpin_1122.png

Change Event RetentionChange Event Retention

Incidents can contain multiple persisted events, for which analysis has been completed. They can be suspended from persisting at a time using this feature.

Note: A maximum of 1 incident can be persisted or suspend persisted at a time in the source NetWitness database. If you try to change event retention for more than 1 incidents, an error message will be displayed. This limitation is introduced to optimize and extract the best performance for this feature. This limit cannot be changed.

To change event retention:

  1. Go to Respond > INCIDENTS.
    All the incidents are listed in the INCIDENTS page.

  2. Click the selection check-box to select the incident.

  3. Click Change Events Retention > Persist all events or Suspend Persist all events.
    The Confirm change in Retention window appears.

  4. Click OK.
    The events in the selected incident are either persisted or suspended from persisting.

Note: You cannot change the event retention for incidents that are in New or Closed state.

Note: Suspending persist of events in an incident from NetWitness will delete it from the long term cache of the source only. This may not be reversible if the original event data has rolled out in the source database. The events will be deleted permanently.

netwitness_12.1_suspend_persist_1122_1785x704.png

When you delete incidents or alerts, or suspend persist all the events in an incident, the action will always be successful. However, there are chances for the back-end function to fail due to, but not limited to the following reasons:

  • Decoder/Concentrator outage
  • Network disruption
  • Service Outage

A data retention job is scheduled to run on a daily basis to clean up the events that failed from being deleted. To access the data retention job settings, see To change event retention:

The following table provides information on the parameters that are configured to run the job, which are enabled by default:

  • Column 1: Parameter
  • Column 2: Default Setting

  • Column 1: failure-count
  • Column 2: 5

  • Column 1:

    persisted-events-retention-job-enabled

  • Column 2:

    true - default false.


  • Column 1:

    persisted-alerts-retention-period

  • Column 2:

    90 Days


Everyday at a preset time, the data retention job is executed. The default failure-count is set to 5 days. If the data retention job is unable to suspend persist an event from the back-end after 5 days, it deletes the event from the repository.

Note: The retention period of risk score context is the same as the retention period of alerts. For example, if the retention period for alerts is set to 90 days, then the retention period of risk score context is also set to 90 days automatically.

Responding to Incidents Workflow

This workflow shows the high-level process that Incident Responders use to respond to incidents in the Respond view.

netwitness_respnavworkflow3_576x77.png

First, you review the list of prioritized incidents, which shows basic information about each incident, and determine which incidents require action. You can click a link in an incident to get a clearer picture of the incident with supporting details in the Incident Details view. From there, you can further investigate the incident. You can then determine how to respond to the incident, by escalating or remediating it.

These are the basic steps for responding to an incident:

  1. Review Prioritized Incident List
  2. Determine which Incidents Require Action
  3. Investigate the Incident
  4. Escalate or Remediate the Incident

Review Prioritized Incident ListReview Prioritized Incident List

In the Respond view, you can view the list of prioritized incidents. The incident list shows both active and closed incidents.

This topic contains the following basic incident list procedures:

View the Incidents ListView the Incidents List

After logging in to NetWitness, most Incident Responders see the Respond view, which is set as the default view. If you have a different initial view, you can navigate to the Respond view.

  1. Log in to NetWitness.
    The Respond view shows the list of incidents, also referred to as the Incident List view.
    netwitness_inclistview2.png
  2. If you do not see the incidents list in the Respond view, go to Respond > Incidents.
  3. Scroll through the incidents list, which shows basic information about each incident as described in the following table.
  • Column: Created
  • Description: Shows the creation date of the incident.

  • Column: Priority
  • Description: Shows the incident priority. Priority can be Critical, High, Medium, or Low.
    The Priority is color coded, where red indicates a Critical incident, orange represents a High risk incident, yellow indicates a Medium risk incident, and green represents a Low risk incident. For example:
    netwitness_prioritylevels.png

  • Column: Risk Score
  • Description: Shows the incident risk score. The risk score indicates the risk of the incident as calculated using an algorithm and is between 0-100. 100 is the highest risk score.

  • Column: ID
  • Description: Shows the automatically created incident number. Each incident is assigned a unique number that you can use to track the incident.

  • Column: Name
  • Description: Shows the incident name. The incident name is derived from the rule used to trigger the incident. Click the link to go to the Incident Details view for the selected incident.

  • Column: Status
  • Description: Shows the incident status. The status can be: Reopen, New, Assigned, In Progress, Task Requested, Task Complete, Closed, and Closed - False Positive.

  • Column: Assignee
  • Description: Shows the team member currently assigned to the incident.

  • Column: Alerts
  • Description: Shows the number of alerts associated with the incident. An incident may include many alerts. A large number of alerts might mean that you are experiencing a large-scale attack.

  • Column: MITRE ATT&CK Tactics
  • Description:

    Shows the particular Tactic associated with each Incident.

    For example: Credential Access.

    For more information on MITRE ATT&CK Tactics, see Use MITRE ATT&CK® Framework topic.


At the bottom of the list, you can see the number of incidents on the current page, the total number of incidents, and the number selected. For example: Showing 1000 out of 1115 items | 3 selected. The maximum number of incidents that you can view at one time is 1,000.

Filter the Incident ListFilter the Incident List

The number of incidents in the Incidents List view can be very large, making it difficult to locate particular incidents. The Filter enables you to specify those incidents that you would like to view. You can also choose the timeframe when those incidents occurred. For example, you may want to view all of the new critical incidents created within the last hour.

  1. Verify that the Filters panel appears to the left of the incidents list. If you do not see the Filters panel, in the Incident List view toolbar, click netwitness_ic-filterclosed2_20x20.png, which opens the Filters panel.

    netwitness_new_status_filter.png

  2. In the Filters panel, select one or more options to filter the incidents list:
    • Time Range: You can select a specific time period from the Time Range drop-down list. The time range is based on the creation date of the incidents. For example, if you select Last Hour, you can see incidents that were created within the last 60 minutes.
    • Custom Date Range: You can specify a specific date range instead of selecting a Time Range option. To do this, click the white circle in front of Custom Date Range to view the Start Date and End Date fields. Select the dates and times from the calendar.
      netwitness_custdaterange_288x360.png
    • Incident ID: Type the number of the incident that you would like to locate. For example, for INC-1050, type only the number "1050" to view the incident.
    • Priority: Select the priorities that you would like to view.
    • Status: Select one or more incident statuses. For example, select Closed - False Positive to view only false positive incidents, which were initially identified as suspicious, but then they were later found to be safe.
    • Assignee: Select the assignee or assignees of the incidents that you would like to view. For example, if you only want to view the incidents assigned to Cale or Stanley, select Cale and Stanley from the Assignee drop-down list. If you want to view incidents regardless of the assignee, do not make a selection under Assignee.
      (Available in version 11.1 and later) To view only unassigned incidents, select Show only unassigned incidents.
    • Categories: Select one or more categories from the drop-down list. For example, if you only want to view incidents classified with the Backdoor or Privilege abuse categories, select Backdoor and Privilege abuse.
    • MITRE ATT&CK Tactics: Select the tactic associated with the incident.

    • MITRE ATT&CK Techniques: Select the technique associated with the incident.

    • Sent to Archer: (In version 11.2 and later, if Archer is configured as a data source in Context Hub, you can send incidents to Archer Cyber Incident & Breach Response and this option will be available in NetWitness Respond.) To view incidents that were sent to Archer, select Yes. For incidents that were not sent to Archer, select No.
    • CONTAINS PERSISTED EVENTS: Select a filter to view incidents based on the persisted events.

    The incidents list shows a list o ,,,,,,, ,,,,,,, ,,,,,,, click netwitness_ic-x-close2.png. Your filters remain in place until you remove them.

,,,,,,, ,,,,,,, if you are not seeing the number of incidents that you expect to see or you want to view all of the incidents in your incident list, you can reset your filters.,,,,,, click netwitness_ic-filterclosed2_20x20.png.
The Filters panel appears to the left of the incidents list.
  • At the bottom of the Filters panel, click Reset.
    • ,,,,,, ,,,,,,, ,,,,,,, you may want to create a filter to show only critical incidents over the last 24 hours.,,,,,,, ,,,,,,, select one or more options to filter the incidents list. For example, in the Time Range field, select Last 24 Hours, and for Priority, select Critical.
  • Click Save As and in the Save Filter dialog, enter a unique name for the filter and save it, for example Last24Hours-Critical.
    netwitness_savefilterdg_384x191.png
    The filter is added to the Saved Filters list.
    netwitness_savedfilter_288x94.png
    • , ,,,,,,, ,,,,,,, select a saved filter.
  • Update your filter selections and click Save.
    • ,,,,,,, ,,,,,,, ,,,,,,, you can remove it from the saved filters list. Filters used in the Springboard cannot be deleted.,,,,,,, open the Saved Filters drop-down list.
    netwitness_savedfilterdd_288x143.png
  • Next to the filter name, click netwitness_ic-trashblue.png to delete it.
    • ,,,,,, ,,,,,,, ,,,,,,, in the Incidents List view toolbar, click netwitness_ic-filterclosed2_20x20.png.
  • In the Filter panel, under Assignee, select Myself (your full name) from the drop-down list.
    netwitness_viewmyincidents_288x161.png
    The incidents list shows the incidents that are assigned to you.
    netwitness_12.1_viewmyincidents2_1122_864x477.png
    • ,,,, ,,,,,,, you can quickly locate an incident using the Filter. For example, you may want to locate a specific incident out of thousands of incidents.,,,,,, in the Incident Lists view toolbar, click netwitness_ic-filterclosed2_20x20.png, which opens the Filters panel.
    netwitness_findinc1_288x180.png
  • In the INCIDENT ID field, type the Incident ID for an incident that you would like to locate, for example, type 25 for INC-25.,, try resetting your filters.
    netwitness_12.1_findinc2_1122_864x181.png,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, to prioritize the incidents, you can sort your view by clicking the Priority column header. The following figure shows the incidents list sorted by Priority in ascending order netwitness_ic-colsortasc2.png (lowest priority on top).,,,,,, ,,,,,,, click the Priority column header again. The highest priority incidents are at the top as shown in the following figure.,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, in the Incident List view toolbar, click netwitness_ic-filterclosed2_20x20.png.
  • In the Filters panel, under Assignee, select Show only unassigned incidents.
    netwitness_11.2_showunassigninc_336x99.png
    The incidents list is filtered to show unassigned incidents.
    • ,,,, ,,,,,,, select one or more incidents that you want to assign to yourself.
  • Click Change Assignee and select Myself (your full name) from the drop-down list.