Resolve Incidents with Active Response - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Use Active Response to automate the investigation and resolution of alerts and incidents in Expander.

The following procedure describes how to resolve incidents using Cortex Xpanse Active Response. To resolve an incident, you will resolve each of the alerts associated with that incident.

Before you begin using Active Response, complete the following prerequisites:

Resolve Alerts
  1. Navigate to Incident ResponseIncidents and review the list of incidents.

    By default incidents are sorted by risk, but you can sort and filter incidents based on your requirements.

  2. Select your highest-priority incident with alerts that indicate Needs Input.

  3. In the incident details pane on the right, review the alerts to understand the risk and the context that has been gathered through the playbook execution so far.

    The Overview tab in the right pane provides the Alert Description, Alert Status, and Playbook Status for each alert related to the incident. The Alerts tab provides additional details about each alert, including detection details and remediation guidance.

  4. In the Overview tab, click +Provide Input and follow the prompts to select a remediation or notification option. Depending on the type of alert and your configured integrations, remediation options may include the following:

    • Manual remediation

    • Automated remediation

    • Send a notification email

    • File a ticket

    Consult the Automated Remediation Capabilities Matrix to learn about automated remediation options and requirements.

    Once you've selected the remediation option, the playbook changes the alert status to In Progress.


    If you have a remediation path rule that matches the alert criteria, you will not be prompted to select a remediation option. Instead, the playbook will use the remediation option defined in the rule.

  5. If a matching remediation path rule specified automated remediation, or if you chose Automated Remediation in step 4, Active Response will automatically fix the issue that triggered the alert.

    If you specified Manual Remediation, Send a notification email, or File a ticket, either manually or through a remediation path rule, the playbook will display a new Needs Input prompt asking you to confirm that the alert has been remediated. When appropriate, click +Provide Input and confirm the remediation.

    Once the alert has been remediated manually or by automatically by Active Response, the playbook verifies that the service is no longer observable by performing a remediation confirmation scan and then changes the alert status to Resolved.

  6. Repeat steps 4 and 5 for each alert in the incident.

After all the alerts for the incident have been resolved, the playbook automatically marks the incident as Resolved.