This article provides an overview, types, and crucial elements of a Situation. In addition, the procedural steps are required to convert a Situation into an ActOn, and change the status of a Situation from one to another.
Resolution Intelligence Cloud provides a potential AI/ML-driven correlation engine that correlates high quality and repetitive signals using AI/ML to identify macro-level issues in your IT infrastructure, called Situations. These Situations streamline the handoff between teams, centralize critical information, and reduce multiple notification fatigue.
Resolution Intelligence Cloud does not allow you to push Situations into ITSM (Jira and ServiceNow) and Security (Chronicle SOAR) integrations directly.
Basically, the Situations in the Resolution Intelligence Cloud are of two types:
- DigitalOps Situations
- Security Situations
Viewing Situations
Resolution Intelligence Cloud digests all signals originated from source systems such as OpsRamp, and Chronicle and uses correlation algorithms to correlate similar signals into a Situation. Signals turn into Situations by defining the correlation rules based on certain conditions. For example, correlate multiple signals into a Situation when a signal source matches with OpsRamp and the signal class belongs to Applications.
To explore Situations feed,
- Navigate to Resolutions --> Situations from the left menu.
A Situation feed appears with all active Situations. - You can do the following actions in the Situations feed page:
- Search: Search any Situation using a title, summary, external ID, Signal ID, and Situation ID in the search field to get your desired Situation.
- Filtering: Click the funnel icon and apply filters to retrieve your desired Situations in the Situations feed. Refer to this article for more details on filters.
- Manage Columns: Click the window icon and reorder and/or select the columns that you would prefer to appear in the table of a Situations feed.
- Close Situations:Select one or more situations that you want to change to a Closed status and click the Close Situations button. This button is visible to users with the following roles: Global Admin, Owner, Config Manager, Responder, and Manager. When you click Close Situations, a side panel opens where you can select the reason for closing the situation. The reasons available are: Benign, False Positive, Resolved, Self-Heal, and Closed by External System. After selecting a reason, add a resolution note, provide the time spent on resolving the situation, and then click Submit.
- Refresh: Click the Refresh icon to sync the latest situations to the platform. If you do not click on refresh, the situations are synced to the platform every 30 seconds automatically
Situation Statuses
Situations feed updates in real-time and are up-to date with status. By default, a Situation is assigned to anyone with the following status:
Status |
Description |
New |
A Situation has arrived recently and has not yet been acknowledged by the support team. |
Acknowledged |
The respondent has seen the Situation and owns it. |
In Progress |
The Situation has acknowledged and started working on it.
|
On hold |
Put on hold due to awaiting evidence, awaiting for the user, etc. |
Healed |
The Situation got resolved on its own.
|
Resolved | Remediation has taken place and resolved the issue. |
Closed |
Remediation has taken place and resolved the issue. |
However, you are free to customize the status values of a Situation to the values you want. To change the status values, refer configuring status values article.
Situation stages
The stage is assigned to an Situation to show its progress in the case cycle. The following are a sequence of stages involved to resolve a case:
Stage |
Description |
Identify |
The security threat in entities is identified. |
Investigation |
Evidence related to the security threat is gathered and analyzed to find its root cause. |
Clarification |
Gathered additional information about the issue |
Mitigation |
Immediate action is taken to reduce the severity of the threat. |
Incident |
The case is converted to an incident. |
Remediation |
The root cause of the threat is identified and addressed to prevent its occurrence in the future. |
Resolution |
The permanent resolution is provided. |
However, you are free to customize the stage values of a Situation to the values you want. To change the stage values, refer configuring stage values article.
Exploring Situation Work area
To delve more details of a Situation,
- Click the Situation that you would like to explore from the Situations feed.
A Situation page appears on the right of your screen. - Review the basic information about any (DigitalOps or Security) Situation.
Field | Description |
Title | Name of a Situation generated automatically by correlating similar signals. See Situation Titles & their status to know how the title and status are generated. |
Situation ID | Discrete ID of a Situation generated internally. |
Organization | The name of an organization to which the Situation that belongs to. |
Tenant | The name of a tenant to which the Situation that belongs to. |
Last Updated | The date and time at which an update is done in a Situation. |
Class and Subclass | Type of a class and a subclass to which a Situation belongs to. |
Category and Subcategory | Type of a category and a subcategory to which a Situation belongs to. |
Tags | The key:value pairs that represent the support group within the organization. |
Status | Status of a Situation. You can change the status anytime manually. |
Mark as ActOn | Converts a Situation into an ActOn. |
Elements of a Situation
In this section, you are going to explore various elements of the DigitalOps related Situations. The elements of Security related Situations are the same as Security ActOns.
Situations consist of the following tabs, and each tab provides you with critical information about a Situation. Also, you can control what columns appear in the Situation work area by clicking the icon at the right of a Situation.
- Score Evidence: The score of a ticket determines how critical the Situation is. This score is generated from auto ticketing systems and is associated with priority levels from P0 to P4. Suppose you have ten tickets that are tagged with P0 with respective scores, then you must pick and resolve the ticket that consists of the highest score.
-
Activity: Contains notes given by users who are involved in remediating the ActOn. Notes are classified as:
- Work Notes: These comments are visible to an external audience. By default, these are synced to external ITSM and SOAR platforms.
- Internal Notes: These comments are visible to company-specific users only and are not synced to external ITSM and SOAR platforms.
- Resolution Notes: These comments are updated when a Situation is resolved. External ITSM or SOAR platforms have to be updated in their resolution notes, and their status has to be changed to resolved.
- System Notes: These notes are generated by external applications, such as SOAR (Security Orchestration, Automation, and Response) and ITSM (IT Service Management). Additionally, alert notes are included within the system notes. To view only these notes, click on the System Notes button.
Creating Notes
You can create your notes by using the types described above.
To create Notes,
-
- Under the Activity tab, click Notes. This opens the notes text box.
- Select the type of note you want to post from the drop-down menu. Possible values:
- Work Note
- Internal Note
- Resolution Note
- Enter your comments and the time spent on remediating the ActOn in minutes or hours.
- Click Post.
In addition to creating notes, you can reorder those notes according to your desired order and filter the notes, using the following options:
Item | Description |
Newest on top | The most recently received signals of a Situation appear at the top. |
Oldest on top | The past signals that correlated with a Situation appear at the top. |
All Notes |
Select the type of note you want to view. Possible values include:
|
- Impacted Functions: You can determine the scope (Domain, Organization, and Tenant) and service level impact that a Situation can create in this tab. The scope of a Situation is indicated by specific color which is shown in the following image.
- Timeline: The timeline allows you to visualize the life cycle of a Situation, which helps you to understand the behavior of a signal. The timeline also shows the history of status changes that are related to a situation. Each dot on the timeline denotes a status change.
- Relevant Situations: These Situations might be generated due to a change that occurred in the life cycle of a Situation while solving a problem associated with it. This section lets you see if any relevant Situations are generated and what action to take against such situations to resolve a problem. You can filter the relevant Situations that are linking to a specific Situation by different entities and duration fields.
- Summary: Summary gives you an overview of a Situation details such as Signal ID, Resource, Location, Device Class, Event Class, Event Summary, Event Message, Time at which a situation is generated, Device URL, Event URL, and number of signals that are correlated. This summary is automated using an automated system. You can edit the existing summary using Edit. If no summary is available for an active Situation, you can create a summary by clicking on Add Summary button.
- Correlated Signals: These signals are relevant to each other and correlated by a rules engine to prevent the creation of multiple tickets. Click on a Signal ID to view the details, such as the signal's current status, source, the total number of occurrences, signal type, and opened for how many hours since the signal is created.
- Tasks: Tasks allow you to break the bigger problems into smaller chunks, which in turn help you collaborate among multiple stakeholders to resolve a problem associated with each Situation.
You can create a task using the following steps:
- Click next to the tasks. A window appears on the screen.
- Enter the Name of your Task
- (Optional) Type the Description.
- (Optional) Select any user in the Assign To field.
- (Optional) Select a Category from the drop-down menu.
- (Optional) Enter Start and Due Date.
- Click SUBMIT.
- Entities: The tangible or intangible asset from which an issue is raised, and a signal is generated, respectively, for that issue. In this tab, you can see the name, type of entity, and type of operating system that runs on that asset.
Converting Situations to ActOns
Situations are converted into ActOns by defining a correlation policy on certain conditions or manual intervention. Based on the policy definition, a Situation can be ActOn to either a domain, an organization, or a tenant.
Order of Precedence
If a Situation is marked as ActOn at,
- Tenant Level
It will be an ActOn for Tenant, Organization, and Domain levels - Organization Level
It will be a situation for Tenant level but, ActOn for Organization and Domain levels - Domain Level
It will be a situation for Tenant and Organization but, ActOn for Domain level
To convert a Situation into an ActOn manually,
- Navigate to Resolutions --> Situations from the left menu.
- Click on any Situation that you would like to convert.
A Situation page opens. - Click on Not Marked As ActOn.
A drop-down menu opens. - Select the Tenant, or Organization, or Domain for which you want to notify.
- Click Save.
A notification is sent to the selected Tenant.
Note: Once a Situation is converted into an ActOn, it cannot be reversed.
Comments
0 comments
Please sign in to leave a comment.