This article describes how a Situation is formed from similar signals through the correlation mechanism and how to change the status of a Situation from one to another.
Situation titles provide you with insight into related signals and their scope. Titles are generated due to the correlation of related signals and how each signal impacts the health of a device to prevent damage.
Detailed Situation titles give you insight into:
- Situation Impact: Which part of the infrastructure is impacted by the situation. For example, see whether a single server is down or an entire cluster.
- Correlation Pattern: What patterns and why signals are clustered together, which will help you investigate a problem.
- Related signals: Gives you a summary of all related signals listed on the situations feed.
- Priority: Priority is determined by the correlation rules and pattern logic based on the severity of the problem.
- Status: tells you whether the situation is acknowledged, closed, or work in progress or open.
How Situation Titles Work
Situation titles are generated due to the following logic:
- Main Title - Gives you the title of a situation based on the type of signals grouped together. For example, if the situation is related to security, the title is framed as the security situation of a server. The title updates the first 50 signals, which are correlated to form a Situation. However, you can customize the title of a Situation as per your desired criteria. The character limit for title is up to 160.
- Summary -Summarizes the signals that are part of a situation. The summary includes the following details.
- Signal Name: Name of each signal.
- Signal Start Time: At what time is the signal initiated.
- First Event Time: When did the first event occur?
- Source IP: IP address of the device where the signal comes from.
- Destination IP: IP address of the destination device.
- Observations: What are the observations made on each signal?
- Risk Evidence: What kind of risk does it pose to a device?
- Recommendations: Types of remedial actions to be taken care of.
Examples of Situation Titles
Below Situation title gives you an idea of CPU usage percentage exceeded the threshold value.
Below Situation title gives you details on the threat detection on the server.
Situation Status
The signal status is determined by the most recent update received from the source monitoring system. The status of Situation is determined by the severity of each related signal.
Situation status levels are
Status |
Description |
New |
A Situation has arrived recently and has not yet been acknowledged by the support team. |
Acknowledged |
The respondent has seen the Situation and owns it. |
In Progress |
The Situation has acknowledged and started working on it.
|
On hold |
Put on hold due to awaiting evidence, awaiting for user etc. |
Healed |
The Situation got resolved on its own.
|
Resolved | Remediation has taken and resolved the issue. |
Closed |
Remediation has taken and resolved the issue. |
Priorities and their respective colors are assigned to each situation based on the score calculated from impact, likelihood, and confidence factors.
Priority |
Color |
Description |
P4 |
Green |
The situation is resolved and has no impact on the asset. |
P3 |
Yellow |
The monitoring system has detected an issue. For example, the CPU cache is low. |
P2 |
Light Orange |
The Situation has been acknowledged in the source system, or the monitored object is under scheduled maintenance. |
P1 |
Orange |
The monitoring system has detected a serious problem. For example, a service is unavailable or a maximum usage threshold has been exceeded. |
P0 |
Red |
A potential issue is detected and poses a serious impact on assets if not resolved within the SLA period. |
Changing status of a Situation
You have the flexibility to tailor the existing statuses to match your specific needs and workflows of your organization. You can often modify existing ones to align with your business requirements which ensure collaboration and productivity. Before changing the status, you should configure your desired status by using Configurable Statuses procedure.
To change the existing status to a new one,
- Navigate to Resolutions --> Situations from the left menu.
Situations home page opens. - Click the Situation in which you would prefer to change the status.
- Click Status located below the Situation name.
A drop-down menu opens where you can find the statuses that you have configured. - Select your desired status and click Done.
Your desired status will be assigned to that Situation.
In case you are closing the Situation, follow these additional steps:
5. Select the status as Closed and click Done. This will open a side panel where you can enter the reason for closing the Situation.
6. Select the reason from the following options:
- Benign – The Situation does not pose a significant risk.
- False positive – The Situation was incorrectly identified as an anomaly.
- Resolved – The Situation has been successfully resolved.
- Self-heal – The Situation was automatically resolved without human intervention.
- Closed by external system – The Situation was closed by an external system.
7. Enter the resolution note in the text box provided. You can use formatting options to enhance the note if needed.
8. Enter the amount of time spent resolving this Situation, in minutes.
9. Click Submit to close the Situation.
Changing stage of a Situation in the resolution cycle
You can assign a stage to a situation by selecting the appropriate stage value, indicating its phase in the case resolution cycle. This helps track the progress and current phase of a Situation more effectively. If you want to customize the stage values, you should configure the customized values by using configuring stage values procedure.
To assign stage to a situation,
- Navigate to Resolutions --> Situations from the left menu.
Situations list view page opens. - Click the Situation in which you would prefer to change the stage.
- Click Stage located below the Situation name.
A drop-down menu opens where you can find different stages that you have configured. - Select the stage and click Apply. The selected stage will be assigned to the situation.
Tags
Tags help you classify Situations. The tags are created in a key-value format. You can view the tags that are added through external systems, in addition to the tags you add in the Situation workspace.
Adding tags
To add tags to an ActOn,
- Navigate to Resolutions --> Situations.
Situations list page opens. - Click on a particular Situation to which you want to add a tag. This opens the Situations Workspace.
- Click Add Tag. This opens the side panel.
- Enter the tag in the key:value format and click the plus button to add the tag. You can add as many tags you want.
- Click Submit to associate tags to an ActOn. The added tags are visible next to the tags icon in the Situations Workspace.
Comments
0 comments
Please sign in to leave a comment.