Remediation Path Rules - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-05-22
Last date published
2024-07-01
Category
User Guide
Solution
Cloud
Abstract

Create remediation path rules to customize Active Response to automatically respond to alerts with actions that meet your business requirements.

The Cortex Xpanse Active Response module automates ASM alert investigation and resolution. You can use Remediation Path Rules to customize Active Response to automatically respond to alerts with actions that meet your specific business requirements and context.

A Remediation Path Rule is associated with a set of conditions (an attack surface rule and alert criteria) and with a remediation action. When a new alert matches the remediation path rule conditions, the Active Response playbook performs the remediation action with no additional input required from an analyst.

When you create a remediation path rule, you will choose the attack surface rule the remediation path rule will apply to, define the specific alert criteria that must be met, and select a remediation action. The remediation actions that available to choose from will depend on the attack surface rule, the alert criteria, and the automation integrations in your system. See the Automated Remediation Capabilities Matrix for details about when fully automated remediation can be used.

For alerts that do not match a Remediation Path Rule, the Active Response playbook will prompt the analyst to +Provide Input about the remediation action.

You can view, create, and delete remediation path rules on the Policies and RulesRemediation Path Rules page in Expander. You cannot edit existing remediation path rules. To delete a remediation path rule, right-click on the rule in the list view.

Create a New Remediation Path Rule
  1. Navigate to Policies and RulesRemediation Path Rules.

    You can also open the Remediation Path Rules page from the Select Remediation Action dialog box on the Incidents page. When you click +Provide Input for an alert, the Select Remediation Action dialog box opens. Select Click Here to open the Remediation Path Rules page on another tab.

  2. Click +Add New Rule.

  3. Enter a unique Rule Name and, optionally, a Rule Description.

  4. Select the Attack Surface Rule to which this remediation path rule will apply.

    Every remediation path rule apples to one attack surface rule.

  5. Define the alert criteria for the rule. Available options are listed in the dropdown menus.

    These criteria must be met for Active Response playbook to execute the specified remediation action.

  6. Select the remediation action to be taken when the criteria for this rule matches an alert.

    The remediation options available to choose from depend on the attack surface rule selected, the alert criteria, the automation integrations in your system.

  7. Add Additional Details relevant to the remediation action, such as an email address for the Send a Notification Email option.