Incident Status - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-03-28
Last date published
2024-04-17
Category
User Guide
Solution
Cloud
Abstract

Learn about each incident status.

The table below describes the incident statuses. Some of these statuses are assigned automatically by Xpanse and some are assigned manually by a user. You can manually change the status of any incident to any status.

Incidents typically move through a NewUnder InvestigationResolved workflow. However, after an incident has been resolved, Xpanse will reopen it with the status New if scans detect the asset on the internet again and a corresponding alert is generated.

Incident Status

Description

Set by System or User or Both

New

Incidents have the status New in the following circumstances:

  • Xpanse has created a brand new incident.

  • Xpanse has reopened a previously resolved incident because the asset was observed on the public internet again and Xpanse opened an alert for it.

  • A user has set the incident status to New.

Both. The system sets the status to New for a new or reopened incident. A user can change the status to New anytime.

Under Investigation

Indicates that one or more alerts for the incident are In Progress or New.

User only

Resolved

When all the related alerts for an incident are resolved, the incident is marked Resolved.

Both. The system changes the status to Resolved when all the alerts have been resolved. A user can change the status to Resolved anytime.