Resolution reasons for incidents and alerts - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Describes the resolution reasons for incidents and alerts.

When you resolve an incident or alert you must also specify a resolution reason. The following table describes the resolution reasons available for selection.

Note

The displayed resolution reasons are domain specific. You can see the resolution reasons that are defined for a domain under ConfigurationsObject SetupIncidentsDomains.

Resolution reason

Description

Resolved - True Positive

The incident was correctly identified by Cortex XSIAM as a real threat, and the incident was successfully handled and resolved.

Note

Incidents resolved as True Positive and False Positive help Cortex XSIAM to identify real threats in your environment by comparing future incidents and associated alerts to the resolved incidents. Therefore, the handling and scoring of future incidents is affected by these resolutions.

Resolved - False Positive

The incident is not a real threat.

Note

Incidents resolved as True Positive and False Positive help Cortex XSIAM to identify real threats in your environment by comparing future incidents and associated alerts to the resolved incidents. Therefore, the handling and scoring of future incidents is affected by these resolutions.

Resolved - Security Testing

The incident is related to security testing or simulation activity such as a BAS, pentest, or red team activity.

Resolved - Known Issue

The incident is related to an existing issue or an issue that is already being handled.

Resolved - Duplicate Incident

The incident is a duplicate of another incident.

If you created a custom resolution, it is also available for selection.