Alert Status - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-03-28
Last date published
2024-05-24
Category
User Guide
Solution
Cloud
Abstract

Learn about the alert lifecycle and definition of each alert status.

Alerts transition through four basic statuses: New, In Progress, Resolved, and Reopened. There are multiple versions of the Resolved status (which are also called resolution statuses) to enable you to track why an alert was resolved.

A resolution status can be either terminal or reopenable. Terminal resolution means the alert will not be reopened if Xpanse continues to observe the problem. The following resolution statuses are terminal:

  • Resolved - Contested Asset

  • Resolved - Risk Accepted

  • Resolved - No Risk

Reopenable resolution means that Xpanse will reopen the alert and set the status to Reopen if the issue is observed again. The following resolution statuses are reopenable:

  • Resolved - No Longer Observed

  • Resolved - Remediated Automatically

  • Resolved

The table below describes the alert statuses. Some of these statuses are assigned by Xpanse and some are assigned manually by a user. You can manually change the status of any alert to any other status except Resolved - No Longer Observed and Resolved - Remediated Automatically, which are assigned by Xpanse only.

In addition to these built-in alert statuses, you can create custom alert statuses that are tailored to your workflow. For more information, see Add Custom Alert and Incident Statuses and Resolution Reasons.

Alert Status

Description

Set by User or System or Both

New

Indicates one of the following:

  • Xpanse created a new alert because a risk was observed on your attack surface

  • A user manually set the status to New

Both. Xpanse sets the status to New when it opens an alert. A user can set the status to New anytime.

In Progress

Indicates that you have started investigating or remediating the alert.

User only

Reopened

Indicates one of the following:

  • Xpanse reopened a formerly resolved alert

  • A user set the status to Reopened.

Both

Resolved - Contested Asset

Indicates that you do not believe that this asset belongs to your organization.

This is a terminal resolution status.

User only

Resolved - Risk Accepted

Indicates that you understand that this alert poses a risk to your organization, but that you would like to accept the risk rather than address it.

This is a terminal resolution status.

User only

Resolved - No Risk

Indicates that you acknowledge that an alert exists, but that there is a mitigating control or other circumstances which results in the alert not being necessary.

This is a terminal resolution status.

User only

Resolved - No Longer Observed

Indicates that Xpanse no longer detects the issue on the service, asset, or website.

This is a reopenable resolution status.

System only

Resolved - Remediated Automatically

Indicates that automated remediation was used to remediate the alert.

This is a reopenable resolution status.

Note

This status is only used if you have the Active Response add-on module. See Active Response for more information.

System only

Resolved

Indicates that the alert was remediated.

This is a reopenable resolution status.

User only