Cortex XSIAM enables you to validate the resolution of an Attack Surface Management (ASM) alert using remediation confirmation scanning (RCS). This scan utilizes the same payloads and global scanning infrastructure that was used for service discovery to ensure that a risk has been addressed.
Remediation confirmation scans are built into the Cortex ASM - ASM Alert playbook in a subplaybook called Cortex ASM - Remediation Confirmation Scan. This means that every ASM alert that is remediated by the playbook is followed by an RCS scan to ensure that the risk is no longer observable.
You can also initiate an RCS scan manually for any ASM alert. RCS scans typically take 4 or more hours to complete and you can use the RCS Scan Status button to post the scan status and results in the alert War Room. The following steps describe how to initiate an RCS scan for an ASM alert in an incident.
Navigate to Incidents and select the incident with an ASM alert that you want to scan.
In the incident details pane, select the Alerts & Insights tab and then click on the ASM alert.
The alert details panel opens on the right.
In the alert details panel, click Investigate.
The ASM alert page opens.
Click the RCS Scan Start button.
A notification appears indicating that the scan has been initiated. RCS scans typically take four hours or more to complete.
Check the status of the scan by clicking the RCS Scan Status button.
This button displays the status of the scan and scan results, if they are ready, in the alert War Room. Possible status values are error, in progress, and scan completed.