View Insight Alerts from Respond View
Analysts can view NetWitness Insight’s alerts based on Asset category change over time and New asset discovered in the environment. The alerts are listed on the Respond > Alerts page.
| Alert Type |
Description |
| Asset category change over time |
NetWitness Insight introduces a new alert named Asset category change over time. This feature establishes a baseline for an asset’s category and monitors the asset for any category changes. If there is a change in the asset category after the same category was observed for 7 consecutive days, NetWitness Insight will generate an alert for that particular asset.
If the category of an asset changes over time, it means that the purpose of the asset has been altered. For example, if an asset serves as an HTTP server for a week and then suddenly changes into a DNS server, there could be several reasons for this change. It could be a configuration modification made by the administrator, or the asset has been compromised by an unauthorized person who gained access to the network and altered the asset. |
New asset discovered in environment
(Available in BETA mode) |
NetWitness Insight introduces a new alert named New asset discovered in environment from the 12.3.1 version or later. This alert will be generated whenever a new asset Server type is detected in the environment for the first time or if an existing asset has not been observed by NetWitness Insight for the last 30 days. This alert is generated for assets identified as server by NetWitness Insight. This feature enhances visibility and provides analysts with an improved understanding of the assets present in the environment.
Note-This alert is generated only for assets identified as Server, FewClients, Many Services Few Clients, Many Services Some Clients, and Many Services Many Clients. An alert will not be generated for assets identified as Client and Undefined types.
-NetWitness recommends that you enable this feature only after you have deployed all the sensors. If you add a new sensor after the feature is enabled, Insight will consider all the servers observed only from that sensor as new assets and generate new alerts for them. |
| Alert Type |
Description |
| Asset category change over time |
NetWitness Insight introduces a new alert named Asset category change over time. This feature establishes a baseline for an asset’s category and monitors the asset for any category changes. If there is a change in the asset category after the same category was observed for 7 consecutive days, NetWitness Insight will generate an alert for that particular asset.
If the category of an asset changes over time, it means that the purpose of the asset has been altered. For example, if an asset serves as an HTTP server for a week and then suddenly changes into a DNS server, there could be several reasons for this change. It could be a configuration modification made by the administrator, or the asset has been compromised by an unauthorized person who gained access to the network and altered the asset. |
New asset discovered in environment
(Available in BETA mode) |
NetWitness Insight introduces a new alert named New asset discovered in environment from the 12.3.1 version or later. This alert will be generated whenever a new asset Server type is detected in the environment for the first time or if an existing asset has not been observed by NetWitness Insight for the last 30 days. This alert is generated for assets identified as server by NetWitness Insight. This feature enhances visibility and provides analysts with an improved understanding of the assets present in the environment.
Note-This alert is generated only for assets identified as Server, FewClients, Many Services Few Clients, Many Services Some Clients, and Many Services Many Clients. An alert will not be generated for assets identified as Client and Undefined types.
-NetWitness recommends that you enable this feature only after you have deployed all the sensors. If you add a new sensor after the feature is enabled, Insight will consider all the servers observed only from that sensor as new assets and generate new alerts for them. |
By default, NetWitness Insight generates alerts based on two priority levels. However, the priority level can be changed by using the incident rule:
- Low-priority alerts for asset change for clients
- Medium priority alerts for asset change for servers
This provides valuable insights to analysts when considering the asset’s profile. By observing such changes, analysts can better understand the potential implications and take appropriate actions to protect the network.
View Insight Alerts Details
In the Alerts List view, you can browse the Insight alerts from the NetWitness Insight source, filter them, and group them to create incidents. This procedure shows you how to access the Insight alerts list.
To View Insight Alert Details
-
Log in to the NetWitness Platform.
-
Go to Respond > Alerts. The Alerts List view displays a list of all NetWitness alerts.
-
In the Filters panel, under the Source options, select NetWitness Insight.
NoteYou can change the time range to filter them and view alerts.
All the alerts related to NetWitness Insight are listed.
Clicking on the Alert Name takes you to the Overview page with the following details. The following figure represents Asset category change over time alert.
The following figure represents New asset discovered in environment alert.
| Column |
Description |
| Incident ID |
Displays the Incident ID of the alert. If there is no incident ID, the alert does not belong to any incident, and you can create an incident to include this alert or add the alert to an existing incident.
NoteInsight alerts will have no Incident IDs by default and will be displayed as (None). You need to enable the Incident Rules to start generating the Incident IDs. For more information, see the topic Enable Insight Incident Rules. |
| Created |
Displays the date and time when the alert was recorded in the source system. |
| Severity |
Displays the level of severity of the alert. The values are from 1 through 100. In this case, the severity is 40 for medium Insight alerts. |
| Source |
Displays the source of the alert. In this case, the source of the alert is NetWitness Insight. |
| Type |
Displays the type of events in the alert. In this case, the type of event is Network. |
| # Events |
Displays the number of events contained within an alert. NetWitness Insight alerts always have one Event. |
| Host Summary |
Displays details of the IP, like the IP from where the alert was triggered. |
| Persisted status |
Displays the persistent status of the Incident. In this case, it is None (-). |
| Raw Alert |
Displays the raw alert metadata. |
| Timestamp |
Displays the time when the alert was generated. |
| Type |
Displays the type of events in the alert. In this case, the type of event is Network. |
| Description |
Displays a basic description of the alert. In this case, it is Asset category change over time. |
| Port |
Displays the port numbers used by the asset to service network traffic. In this case, it is 53, 443. |
| IP Address |
Displays the IP address of the asset for which the alert was detected. You can either left or right-click this IP address and view the Context Highlights and Network Behavior. For more information, see the topic View Contextual Information for an Asset. |
| Summary |
Displays the summary of the asset. In this case, The asset 192.168.1.1 changed from category HTTP to category DNS, HTTPS after being category HTTP for 7 days. |
| Network Exposure |
Displays the asset network exposure value ranging from 1 to 100. In this case, the network exposure value is 45. For more information on network exposure, see the topic View Contextual Information for an Asset. |
| Prev Category |
Displays the previous category of the asset type. In this case, it is HTTP. |
| New Category |
Displays the new category of the asset. In this case, it is DNS, HTTPS. |
| Event Time |
Displays the time when the alert was generated. |
| Category Duration Baseline |
Displays the number of days observed for the asset category before the change. The default value is 7 consecutive days. |
| Asset Type |
Displays the type of asset. In this case, it is Server. |
For more information on managing alerts, see Reviewing Alerts topic in
NetWitness Respond User Guide.
See also
Feedback
Was this page helpful?
Thank you! We appreciate you sending us your feedback.
Thank you for your feedback!
Please Submit your Feedback