Levels of Actions on Alerts

Actions can be performed at four different levels, providing flexibility in alert management:

1. Individual Sub Alert Actions

├ i) Resolving Sub Alerts

├ ii) Reassigning Sub Alerts

├ iii) Adding Sub Alerts to No Scan List

├ iv) Adding Sub Alerts to Permit List

└v) Muting Sub Alerts 2. Batch Sub Alert Actions

3. Multiple Alert-level Actions

4. Alert-level Actions

1. Individual Sub Alert Actions

Actions are taken on individual sub alerts, allowing you to resolve, reassign, add to permit list, or perform other actions on specific objects within an alert. This level of control is particularly useful when you need to handle each impacted object differently based on its content, sensitivity, or other factors.

i) Resolving Sub Alerts

1. Select the checkbox next to the sub alert(s) you want to act on.

2. Select 'Resolve' from the Actions dropdown menu.

1. In the Resolve window, add a note to provide context or document the actions taken offline.

1. Click 'Resolve' to mark the sub alert(s) as resolved.

Impact on Table View: After resolving a sub alert, it will be removed from the 'Objects Impacted' table, as it has been marked as resolved.

Impact on Dashboard View: The alert dashboard will update to reflect the decreased number of objects impacted, entities impacted, and attributes associated with the resolved sub alert(s).

ii) Reassigning Sub Alerts

1. Select 'Reassign' from the Actions dropdown menu.

1. In the Reassign window, enter the email address of the user you want to reassign the sub alert(s) to.

1. Click 'Assign' to complete the reassignment.

Impact on Table View: After reassigning a sub alert, the 'Assignee' column in the 'Objects Impacted' table will update to display the email address of the new assignee for the corresponding sub alert(s).

Impact on Dashboard View: The total number of assignees in the alert dashboard will increment to reflect the additional assignee(s) for the reassigned sub alert(s)

iii) Adding Sub Alerts to No Scan List

1. Select 'Add to "No Scan List"' from the Actions dropdown menu.

1. In the Add to No Scan List window, you can choose to add a note if necessary and then click on Add to no-scan list.

Impact on Table View: After adding a sub alert to the no scan list, it will be removed from the 'Objects Impacted' table, as it will no longer be scanned by the data source.

Impact on Dashboard View: The alert dashboard will update to reflect the decreased number of objects impacted, entities impacted, and attributes associated with the sub alert(s) added to the no scan list.

iv) Adding Sub Alerts to Permit List

1. Select 'Add to Permit List' from the Actions dropdown menu.

1. In the Add to Permit List window, you can choose to add a note to provide additional information.

1. Click 'Add to Permit List' to complete the action.

Impact on Table View: After adding a sub alert to the permit list, it will be removed from the 'Objects Impacted' table, as it has been exempted from the policy rules.

Impact on Dashboard View: The alert dashboard will update to reflect the decreased number of objects impacted, entities impacted, and attributes associated with the sub alert(s) added to the permit list.

v) Muting Sub Alerts

1. Select 'Mute Alert' from the Actions dropdown menu.

1. In the Mute Alert window, set the mute duration by selecting the number of days, weeks, or months from the dropdown menu.

2. Add a note to provide additional information.

1. Click 'Mute Alert' to temporarily suppress the sub alert(s) for the specified duration.

Impact on Table View: After muting a sub alert, it will be removed from the 'Objects Impacted' table for the specified mute duration and added to the 'Permit List' table within Playbooks.

Impact on Dashboard View: The alert dashboard will update to reflect the decreased number of objects impacted, entities impacted, and attributes associated with the muted sub alert(s) for the duration of the mute period.

2. Batch Sub Alert Actions

Alerts 2.0 allows users to perform batch actions on sub alerts, streamlining alert management. You can select all sub alerts on a page at a time by checking the boxes next to each relevant row in the 'Objects Impacted' table. This feature enables you to efficiently apply the same action to multiple sub alerts simultaneously, saving time and effort.

3. Multiple Alert-level Actions

The multiple alert level allows you to perform actions on sub alerts across multiple alerts simultaneously. This means that you can select different alerts from a single list-view and perform an action on them at once.

To perform a multiple alert-level action, follow these steps:

1. Navigate to the Alerts page, which displays a list view of all the alerts.

2. Select the checkboxes next to the alerts you want to perform the action on. You can select alerts from different policies or rule sets.

3. Once you have selected the desired alerts, click on the action button (Reassign, Resolve, or Mute).

4. Alert-level Actions

Actions at this level affect all sub alerts within a single alert. When you perform an action at the alert level, it is applied to every object impacted by the alert. This is useful when you want to apply the same action to all sub alerts within an alert, such as reassigning the entire alert to a different user or adding all impacted objects to the permit list.

Users can further perform actions on the alerts by ticking the checkbox for the alert under Alert name.

To perform an alert-level action, follow these steps:

1. On the alert details page, locate the action buttons in the top-left corner of the screen.

2. Click on the desired action button (Reassign, Resolve, or click on the 🔽 arrow to Mute) to apply the action to all sub alerts within the alert.