View Insight Alerts from Respond View

Analysts can monitor and review alerts generated by NetWitness Insight, which offers crucial information on network assets. These alerts are available on the Respond > Alerts page within the NetWitness platform, where analysts can access a detailed list of alerts, each highlighting specific details about the network assets identified within the network.

Note

NetWitness recommends that users upgrade to version 12.4.1 or later to benefit from the significant improvements made to Insight.

Alert Type Description
Asset category change over time NetWitness Insight introduces a new alert named Asset category change over time. This feature establishes a baseline for an asset’s category and monitors the asset for any category changes. If there is a change in the asset category after the same category was observed for 7 consecutive days, NetWitness Insight will generate an alert for that particular asset.
If the category of an asset changes over time, it means that the purpose of the asset has been altered. For example, if an asset serves as an HTTP server for a week and then suddenly changes into a DNS server, there could be several reasons for this change. It could be a configuration modification made by the administrator, or the asset has been compromised by an unauthorized person who gained access to the network and altered the asset.
New asset discovered in environment
NetWitness Insight introduces a new alert named New asset discovered in environment from the 12.3.1 version or later. This alert will be generated whenever a new asset Server type is detected in the environment for the first time or if an existing asset has not been observed by NetWitness Insight for the last 30 days. This alert is generated for assets identified as server by NetWitness Insight. This feature enhances visibility and provides analysts with an improved understanding of the assets present in the environment.

Note

-This alert is generated only for assets identified as Server, FewClients, Many Services Few Clients, Many Services Some Clients, and Many Services Many Clients. An alert will not be generated for assets identified as Client and Undefined types.

-NetWitness recommends that you enable this feature only after you have deployed all the sensors. If you add a new sensor after the feature is enabled, Insight will consider all the servers observed only from that sensor as new assets and generate new alerts for them.
Asset exported services change over time NetWitness Insight introduces a new alert named Asset exported services change over time from the 12.5 version or later. If there is a change in the services that are exported by an asset after the same services were observed for 7 consecutive days, NetWitness Insight will generate an alert for that particular asset. The alert will be generated even if the asset category remains unchanged. For example, take an asset that was exporting an HTTP service for a week before changing to export both DNS and HTTP services. NetWitness Insight would detect that DNS was added to the list of exported services after the initial 7-day period of HTTP service and generate an alert.
Asset type change over time NetWitness Insight introduces a new alert named Asset type change over time from the 12.5 version or later. Insight establishes a baseline for an asset’s type and monitors the asset for any type changes. If there is a change in the asset type after the same type was observed for 7 consecutive days, NetWitness Insight will generate an alert for that particular asset. For example, if an asset type was a Server or FewClients for a week and then changes into a Client.
Alert Type Description
Asset category change over time NetWitness Insight introduces a new alert named Asset category change over time. This feature establishes a baseline for an asset’s category and monitors the asset for any category changes. If there is a change in the asset category after the same category was observed for 7 consecutive days, NetWitness Insight will generate an alert for that particular asset.
If the category of an asset changes over time, it means that the purpose of the asset has been altered. For example, if an asset serves as an HTTP server for a week and then suddenly changes into a DNS server, there could be several reasons for this change. It could be a configuration modification made by the administrator, or the asset has been compromised by an unauthorized person who gained access to the network and altered the asset.
New asset discovered in environment NetWitness Insight introduces a new alert named New asset discovered in environment from the 12.3.1 version or later. This alert will be generated whenever a new asset Server type is detected in the environment for the first time or if an existing asset has not been observed by NetWitness Insight for the last 30 days. This alert is generated for assets identified as server by NetWitness Insight. This feature enhances visibility and provides analysts with an improved understanding of the assets present in the environment.

Note

-This alert is generated only for assets identified as Server, FewClients, Many Services Few Clients, Many Services Some Clients, and Many Services Many Clients. An alert will not be generated for assets identified as Client and Undefined types.

-NetWitness recommends that you enable this feature only after you have deployed all the sensors. If you add a new sensor after the feature is enabled, Insight will consider all the servers observed only from that sensor as new assets and generate new alerts for them.
Asset exported services change over time NetWitness Insight introduces a new alert named Asset exported services change over time from the 12.5 version or later. If there is a change in the services that are exported by an asset after the same services were observed for 7 consecutive days, NetWitness Insight will generate an alert for that particular asset. The alert will be generated even if the asset category remains unchanged. For example, take an asset that was exporting an HTTP service for a week before changing to export both DNS and HTTP services. NetWitness Insight would detect that DNS was added to the list of exported services after the initial 7-day period of HTTP service and generate an alert.
Asset type change over time NetWitness Insight introduces a new alert named Asset type change over time from the 12.5 version or later. Insight establishes a baseline for an asset’s type and monitors the asset for any type changes. If there is a change in the asset type after the same type was observed for 7 consecutive days, NetWitness Insight will generate an alert for that particular asset. For example, if an asset type was a Server or FewClients for a week and then changes into a Client.

By default, NetWitness Insight generates alerts based on two priority levels. However, the priority level can be changed by using the incident rule:

  • Low-priority alerts for asset change for clients
  • Medium priority alerts for asset change for servers

This provides valuable insights to analysts when considering the asset’s profile. By observing such changes, analysts can better understand the potential implications and take appropriate actions to protect the network.

View Insight Alerts Details

In the Alerts List view, you can browse the Insight alerts from the NetWitness Insight source, filter them, and group them to create incidents. This procedure shows you how to access the Insight alerts list.

To View Insight Alert Details

  1. Log in to the NetWitness Platform.

  2. Go to Respond > Alerts. The Alerts List view displays a list of all NetWitness alerts.

  3. In the Filters panel, under the Source options, select NetWitness Insight.

    View Insight Alerts

Note

You can change the time range to filter them and view alerts.

   All the alerts related to NetWitness Insight are listed.

   Clicking on the Alert Name takes you to the Overview page with the following details. The following figure represents Asset category change over time alert.

View Insight Alerts

The following figure represents New asset discovered in environment alert.

View Insight Alerts

The following figure represents Asset exported services change over time alert.

View Insight Alerts

The following figure represents Asset type change over time alert.

View Insight Alerts

The following table outlines the most common fields that are typically displayed in Insight alerts. However, some fields may vary depending on the alert type, providing essential information for analyzing potential threats, prioritizing responses, and protecting critical assets:

Column Description
Incident ID Displays the Incident ID of the alert. If there is no incident ID, the alert does not belong to any incident, and you can create an incident to include this alert or add the alert to an existing incident.

Note

Insight alerts will have no Incident IDs by default and will be displayed as (None). You need to enable the Incident Rules to start generating the Incident IDs. For more information, see the topic Enable Insight Incident Rules.
Created Displays the date and time when the alert was recorded in the source system.
Severity Displays the level of severity of the alert. The values are from 1 through 100. In this case, the severity is 40 for medium Insight alerts.
Source Displays the source of the alert. In this case, the source of the alert is NetWitness Insight.
Type Displays the type of events in the alert. In this case, the type of event is Network.
# Events Displays the number of events contained within an alert. NetWitness Insight alerts always have one Event.
Host Summary Displays details of the IP, like the IP from where the alert was triggered.
Persisted status Displays the persistent status of the Incident. In this case, it is None (-).
Raw Alert Displays the raw alert metadata.
Timestamp Displays the time when the alert was generated.
Type Displays the type of events in the alert. For Insight, the type of event is Network.
Description Displays a basic description of the alert. For example, Asset category change over time.
Port Displays the port numbers used by the asset to service network traffic. For example, 53, 443.
IP Address Displays the IP address of the asset for which the alert was detected. You can either left or right-click this IP address and view the Context Highlights and Network Behavior. For more information, see the topic View Contextual Information for an Asset.
Summary Displays the summary of the asset. For example, The asset 192.168.1.1 changed from category HTTP to category DNS, HTTPS after being category HTTP for 7 days.
Network Exposure Displays the asset network exposure value ranging from 1 to 100. For example, the network exposure value is 45. For more information on network exposure, see the topic View Contextual Information for an Asset.
Prev Category Displays the previous category of the asset type. For example, dns.
New Category Displays the new category of the asset. For example, http.
Prev Exported Services Displays the previous exported services of the asset. For example, http.
New Exported Services Displays the new exported services of the asset. For example, dns,http.
Prev Asset Type Displays the previous type of the asset. For example, Server.
New Asset Type Displays the new type of the asset. For example, Client.
Event Time Displays the time when the alert was generated.
Category Duration Baseline
or
Exported Services Duration Baseline
or
Asset Type Duration Baseline
- Displays the number of days observed for the asset category before the change.
- Displays the number of days the same services were observed for the asset before a change in the exported services.
- Displays the number of days observed for the asset type before the change.

Note

The default value is 7 consecutive days.
Asset Type Displays the type of asset. For example, Server.
Category Displays the category of asset. For example, http.

For more information on managing alerts, see Reviewing Alerts topic in NetWitness Respond User Guide.

See also