Changing an alert status

Expand all | Collapse all

As a work item, an alert has a status that shows the current state of the alert in its life cycle.

You can change alert statuses for your own alerts or the alerts of other analysts only if you have the access right to read and modify alerts and incidents.

If the alert status is changed manually, playbooks will not launch automatically. You can launch a playbook for such an alert manually.

An alert can have one of the following statuses:

• New

  When Open Single Management Platform registers a new alert, the alert has the New status. You can change the status to In progress or Closed. When you change the New status to Closed, and the alert has no assignee, the alert is automatically assigned to you.

• In progress

  This status means that an analyst started working on the alert. You can change the In progress status to New or Closed.

• Closed

  True positive alerts are to be linked to incidents and be investigated within the incidents. When you close an incident, the linked alerts also gain the Closed status. You close an unlinked alert only as false positive or a low-priority alert. When you close an alert, you must select a resolution.

  The Closed status can only be changed to status New. If you want to return a closed alert back to active, change its status as follows: Closed → New → In progress.

  When you close an alert linked to an incident, the alert is automatically unlinked from the incident. If the alert that you are going to close has no assignee, the alert is automatically assigned to the analyst who closes the alert.

• In incident

  Alerts gain this status when they are linked to an incident. You cannot set this status manually. You can only set the Closed status to a linked alert. To set the New or In progress status, you first must unlink the alert from the incident.

To change the status of one or several alerts:

1. In the main menu, go to Monitoring & reporting → Alerts.
2. Do one of the following:
   • Select the check boxes next to the alerts whose status you want to change.
   • Click the link with the ID of the alert whose status you want to change.

     The Alert details window opens.

3. Click the Change status button.
4. In the Change status pane, select the status to set.

   If you select the Closed status, you must select a resolution.

   If you change the alert status to Closed and this alert contains uncompleted playbooks or response actions, all related playbooks and response actions will be terminated.

5. Click the Save button.

The status of the selected alerts is changed.