Confirm the remediation of ASM alerts - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-06-20
Category
Administrator Guide

Cortex XSIAM enables you to validate the resolution of an Attack Surface Management (ASM) alert using remediation confirmation scanning (RCS). This scan utilizes the same payloads and global scanning infrastructure that was used for service discovery to ensure that a risk has been addressed.

Remediation confirmation scans are built into the Cortex ASM - ASM Alert playbook in a subplaybook called Cortex ASM - Remediation Confirmation Scan. This means that every ASM alert that is remediated by the playbook is followed by an RCS scan to ensure that the risk is no longer observable.

You can also initiate an RCS scan manually for any ASM alert. RCS scans typically take 4 or more hours to complete and you can use the RCS Scan Status button to post the scan status and results in the alert War Room. The following steps describe how to initiate an RCS scan for an ASM alert in an incident.

  1. Navigate to the Incidents page and select the incident with an ASM alert that you want to scan.

  2. In the incident details pane, select the Alerts & Insights tab and then click on the ASM alert.

    The alert details panel will open on the right.

  3. In the alert detals panel, click Investigate.

    The ASM alert page will open.

  4. Click the RCS Scan Start button.

    A notification will pop up indicating that the scan has been initiated. RCS scans typically take four hours or more to complete.

  5. Check the status of the scan by clicking the RCS Scan Status button.

    This button will post the status of the scan and scan results, if they are ready, in the alert War Room. Possible status values are error, in progress, and scan completed.