View UEBA Cloud Incident Details
Analysts can view and access extensive incidents in the Respond > Incidents view. This procedure shows you how to access the UEBA Cloud Incidents list. Analysts can filter this list to view only the Incidents of interest.
From NetWitness Platform 12.5 or later, analysts can view the details of the tactics and techniques used by advanced attackers or advanced persistent threats (APTs) for NetWitness UEBA Cloud incidents. You do not have to search the MITRE pages to understand techniques or tactics and learn about their implications. When clicking on any tactic or technique for the UEBA Cloud incident, the ATT&CK Explorer panel will display all the details.
ImportantBoth MITRE ATT&CK® and ATT&CK® are registered trademarks of the MITRE Corporation. © 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
For more information on the MITRE ATT&CK framework usage, see
Use MITRE ATT&CK® Framework.
To View UEBA Cloud Incidents Details
-
Log in to the NetWitness Platform.
-
Go to Respond > Incidents.
-
In the Filters panel, under the Incident Name, select the option Contains and enter UEBA (Cloud) to obtain a list of filtered Incidents in the Incidents List view.
NoteYou can also enter Incident names (of the required Incidents) to obtain a list.
The following table describes the columns in the Incidents List.
| Column |
Description |
| Created |
Displays the creation date of the incident. |
| Priority |
Displays the incident priority. Priority can be Critical, High, Medium, or Low. |
| Risk Score |
Displays the incident risk score. The risk score indicates the risk of the incident as calculated using an algorithm and is between 0-100. 100 is the highest risk score. |
| ID |
Displays the automatically created incident number. Each incident is assigned a unique number that you can use to track the incident.
NoteTo create incidents automatically, you need to enable at least one incident rule. Predefined (default) incident rules or rules that you create must be enabled before they start creating incidents. For more information on enabling the incident rules, see the topic Enable UEBA Cloud Incident Rules. |
| Name |
Displays the incident name. The incident name is derived from the rule used to trigger the incident. Click the link to go to the Incident Details view for the selected incident. For example, NetWitness UEBA (Cloud) for jasmine king. |
| Status |
Displays the incident status. By default, for UEBA Cloud, it will display as new status. |
| Assignee |
Displays the team member currently assigned to the incident. |
| Alert |
Displays the number of alerts associated with the incident. An incident may include many alerts. A large number of alerts might mean that you are experiencing a large-scale attack. |
| MITRE ATT&CK TACTICS |
Displays the particular tactic associated with the incident. |
-
Click the Incident name or ID to view the Overview panel details.
-
On the Overview Panel, you can modify the values of Priority, Status, and Assignee and add the External ID for the incident.
NoteWhen you click on either the Tactic or Technique, the ATT&CK© Explorer Panel will automatically appear on the right and populate with relevant information.
-
To view the indicators panel, click the Indicators tab next to the Overview panel of the Incident Details view.
-
Click on any Tactics in the listed indicators. The ATT&CK© Explorer Panel will automatically appear on the right and populate with relevant information.
For more information on Incidents, see
NetWitness Respond User Guide.
See also
Feedback
Was this page helpful?
Thank you! We appreciate you sending us your feedback.
Thank you for your feedback!
Please Submit your Feedback