Sub-alert States

In LightBeam Playbooks Alerts 2.1.2, 'Sub-alert States' have been introduced to facilitate workflow management between multiple stakeholders during the alert review process. This feature allows you to move a sub-alert through different states while it remains active.

Overview of Sub-alert States

When a sub-alert is first generated, it is marked as Open. From there, you can transition the sub-alert through various states:

• Open: Initial state when a sub-alert is created

• In Progress: Sub-alert is being actively worked on

• In Review: Sub-alert has been submitted for review

• Review Completed: Review process has been completed

• On Hold: Processing of the sub-alert has been temporarily paused

Figure 36: Sub-alert State Flow

Managing Sub-alert States

To change a sub-alert's state:

1. Navigate to the sub-alert in the 'Objects Impacted' table.

2. Select the sub-alert by clicking the checkbox next to it.

3. Click on the "Change State" action in the actions menu above the table.

Figure 37: Change State Action

1. In the dialog that appears, select the desired state from the available options.

Figure 38: State Selection Dialog

1. Click "Apply" to change the state.

2. The state change will be recorded in the audit log with details of the user who performed the action.

Bulk State Changes

You can also perform state changes on multiple sub-alerts simultaneously:

1. In the 'Objects Impacted' table, use the state filter dropdown to find sub-alerts in specific states if needed.

Figure 39: Sub-alert State Filter

1. Select multiple sub-alerts by clicking the checkboxes next to them.

2. If you want to select all sub-alerts visible on the current page, click the checkbox in the table header.

3. If you want to select all sub-alerts across all pages, click the "Select all sub-alerts" option that appears after selecting the header checkbox.

Figure 40: Select All Sub-alerts Option

1. Click "Change State" from the actions menu.

2. Select the target state for all selected sub-alerts.

3. Click "Apply" to change the state of all selected sub-alerts.

Viewing Sub-alert States

The current state of each sub-alert is displayed in the 'Objects Impacted' table. You can:

1. Sort sub-alerts by their state by clicking on the state column header.

2. Filter sub-alerts by specific states using the state filter dropdown.

3. View state change history in the audit logs.

Audit Trail for State Changes

All state changes are recorded in the audit logs with the following information:

• User who performed the state change

• Previous state

• New state

• Timestamp of the change

• Affected sub-alerts

Figure 41: Audit Log Entry for State Change

Note: Once a sub-alert is closed (resolved, permitted, or muted), its state cannot be changed and it will no longer appear in the active sub-alerts view.

Use Cases for Sub-alert States

The sub-alert states feature supports various workflow scenarios, such as:

1. Security Review Workflow:

   • Security analyst sets state to "In Progress" while working on the alert

   • When ready for review, changes state to "In Review"

   • Security manager reviews and changes state to "Review Completed"

2. Compliance Verification:

   • Compliance officer reviews sub-alerts marked as "In Review"

   • After verification, changes state to "Review Completed"

3. Investigation Workflow:

   • Initial triage sets sub-alert to "In Progress"

   • If waiting for additional information, sets to "On Hold"

   • Once investigation continues, returns to "In Progress"

   • When ready for final review, sets to "In Review"

The sub-alert states feature enables better collaboration and tracking of alert review processes, allowing multiple stakeholders to coordinate their efforts in addressing data privacy incidents.