How Active Response Works - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-03-28
Last date published
2024-05-13
Category
User Guide
Solution
Cloud

When Expander identifies an exposure on your attack surface, it creates a new alert and the Active Response module executes an automation playbook. This playbook progresses through a set of stages, as illustrated in the figure below. During each of these stages various automation integrations may be utilized to collect data, send Expander data to another system, or take a remediation action.

The Active Response playbook contains a set of sub-playbooks, which support many different remediation paths that can be taken depending on the types of configured integrations, the type of alert, and input provided by the analyst. After the final stage, the alert is resolved.

how-active-response-works.png
Remediation Confirmation Scanning

During the validation stage, Xpanse validates the resolution of alerts by completing a remediation confirmation scan. This scan utilizes the same payloads and global scanning infrastructure that was used for service discovery to ensure that the risk has been addressed and that it won't inadvertently generate a new alert during the next scheduled scan of this asset.