Situations Overview

This article provides an overview, types, and crucial elements of a Situation. In addition, the procedural steps are required to convert a Situation into an ActOn, and change the status of a Situation from one to another.

Resolution Intelligence Cloud provides a potential AI/ML-driven correlation engine that correlates high quality and repetitive signals using AI/ML to identify macro-level issues in your IT infrastructure, called Situations. These Situations streamline the handoff between teams, centralize critical information, and reduce multiple notification fatigue.

Resolution Intelligence Cloud does not allow you to push Situations into ITSM (Jira and ServiceNow) and Security (Chronicle SOAR) integrations directly. 

Basically, the Situations in the Resolution Intelligence Cloud are of two types:

• DigitalOps Situations
• Security Situations

Viewing Situations 

Resolution Intelligence Cloud digests all signals originated from source systems such as OpsRamp, and Chronicle and uses correlation algorithms to correlate similar signals into a Situation. Signals turn into Situations by defining the correlation rules based on certain conditions. For example, correlate multiple signals into a Situation when a signal source matches with OpsRamp and the signal class belongs to Applications. 

To explore Situations feed,

1. Navigate to Resolutions --> Situations from the left menu.
   A Situation feed appears with all active Situations. 
2. You can do the following actions in the Situations feed page:
   1. Search: Search any Situation using a title, summary, external ID, Signal ID, and Situation ID in the search field to get your desired Situation.
   2. Filtering: Click the funnel icon and apply filters to retrieve your desired Situations in the Situations feed. Refer to this article for more details on filters.
   3. Manage Columns: Click the window icon and reorder and/or select the columns that you would prefer to appear in the table of a Situations feed.
   4. Close Situations: Select one or more situations that you want to change to a Closed status, then click the Close Situations button. This button is visible only when at least one situation is selected and is available to users with the following roles: Global Admin, Owner, Config Manager, Responder, and Manager.

      When you click Close Situations, a side panel opens where you can select a reason for closing the situation. The available reasons are: Benign, False Positive, Resolved, Self-Heal, and Closed by External System. After selecting a reason, add a resolution note, specify the time spent resolving the situation, and click Submit.

   5. Refresh: Click the Refresh icon to sync the latest situations to the platform. If you do not click on refresh, the situations are synced to the platform every 30 seconds automatically

Situation Status

Situations feed updates in real-time and are up-to date with status. By default, a Situation is assigned to anyone with the following status:

Status	Description
New	A Situation has arrived recently and has not yet been acknowledged by the support team.
Acknowledged	The respondent has seen the Situation and owns it.
In Progress	The Situation has acknowledged and started working on it.
On hold	Put on hold due to awaiting evidence, awaiting for the user, etc.
Healed	The Situation got resolved on its own.
Resolved	Remediation has taken place and resolved the issue.
Closed	Remediation has taken place and resolved the issue.

However, you are free to customize the status values of a Situation to the values you want. To change the status values, refer configuring status values article. 

Situation stages

The stage is assigned to an Situation to show its progress in the case cycle. The following are a sequence of stages involved to resolve a case:

Stage	Description
Identify	The security threat in entities is identified.
Investigation	Evidence related to the security threat is gathered and analyzed to find its root cause.
Clarification	Gathered additional information about the issue
Mitigation	Immediate action is taken to reduce the severity of the threat.
Incident	The case is converted to an incident.
Remediation	The root cause of the threat is identified and addressed to prevent its occurrence in the future.
Resolution	The permanent resolution is provided.

However, you are free to customize the stage values of a Situation to the values you want. To change the stage values, refer configuring stage values article. 

Exploring Situation Work area

To delve more details of a Situation,

1. Click the Situation that you would like to explore from the Situations feed.
   A Situation page appears on the right of your screen.
2. Review the basic information about any (DigitalOps or Security) Situation.

Field	Description
Title	Name of a Situation generated automatically by correlating similar signals. See Situation Titles & their status to know how the title  and status are generated.
Situation ID	Discrete ID of a Situation generated internally.
Organization	The name of an organization to which the Situation that belongs to.
Tenant	The name of a tenant to which the Situation that belongs to.
Last Updated	The date and time at which an update is done in a Situation.
Class and Subclass	Type of a class and a subclass to which a Situation belongs to.
Category and Subcategory	Type of a category and a subcategory to which a Situation belongs to.
Tags	The key:value pairs that represent the support group within the organization.
Status	Status of a Situation. You can change the status anytime manually.
Mark as ActOn	Converts a Situation into an ActOn.

Elements of a Situation

In this section, you are going to explore various elements of the DigitalOps related Situations. The elements of Security related Situations are the same as Security ActOns.

Situations consist of the following tabs, and each tab provides you with critical information about a Situation. Also, you can control what columns appear in the Situation work area by clicking the icon at the right of a Situation. 

• Score Evidence: The score of a ticket determines how critical the Situation is. This score is generated from auto ticketing systems and is associated with priority levels from P0 to P4. Suppose you have ten tickets that are tagged with P0 with respective scores, then you must pick and resolve the ticket that consists of the highest score.

• Activity: Contains notes given by users who are involved in remediating the ActOn. Notes are classified as:
  • Work Notes: These comments are visible to an external audience. By default, these are synced to external ITSM and SOAR platforms.
  • Internal Notes: These comments are visible to company-specific users only and are not synced to external ITSM and SOAR platforms.
  • Resolution Notes: These comments are updated when a Situation is resolved. External ITSM or SOAR platforms have to be updated in their resolution notes, and their status has to be changed to resolved.
  • System Notes: These notes are generated by external applications, such as SOAR (Security Orchestration, Automation, and Response) and ITSM (IT Service Management). Additionally, alert notes are included within the system notes. To view only these notes, click on the System Notes button.

Creating Notes
You can create your notes by using the types described above.
To create Notes,

1. 1. Under the Activity tab, click Notes. This opens the notes text box. 
   2. Select the type of note you want to post from the drop-down menu. Possible values:
      • Work Note
      • Internal Note
      • Resolution Note
   3. Enter your comments and the time spent on remediating the ActOn in minutes or hours. 
   4. Click Post.

In addition to creating notes, you can reorder those notes according to your desired order and sort the notes by note type, using the following options:

Item	Description
Newest on top	The most recently received signals of a Situation appear at the top.
Oldest on top	The past signals that correlated with a Situation appear at the top.
All Notes	Select the type of note you want to view. Possible values include: All Notes Internal Note Resolution Note Work Note System Note

 

• Impacted Functions: You can determine the scope (Domain, Organization, and Tenant) and service level impact that a Situation can create in this tab. The scope of a Situation is indicated by specific color which is shown in the following image.

• Timeline: The timeline allows you to visualize the life cycle of a Situation, which helps you to understand the behavior of a signal. The timeline also shows the history of status changes that are related to a situation. Each dot on the timeline denotes a status change.

• Relevant Situations: These Situations might be generated due to a change that occurred in the life cycle of a Situation while solving a problem associated with it. This section lets you see if any relevant Situations are generated and what action to take against such situations to resolve a problem. You can filter the relevant Situations that are linking to a specific Situation by different entities and duration fields.

• Summary: Summary gives you an overview of a Situation details such as Signal ID, Resource, Location, Device Class, Event Class, Event Summary, Event Message, Time at which a situation is generated, Device URL, Event URL, and number of signals that are correlated. This summary is automated using an automated system. You can edit the existing summary using Edit. If no summary is available for an active Situation, you can create a summary by clicking on Add Summary button.

• Correlated Signals: These signals are relevant to each other and correlated by a rules engine to prevent the creation of multiple tickets. Click on a Signal ID to view the details, such as the signal's current status, source, the total number of occurrences, signal type, and opened for how many hours since the signal is created. 

• Tasks: Tasks allow you to break the bigger problems into smaller chunks, which in turn help you collaborate among multiple stakeholders to resolve a problem associated with each Situation.

You can create a task using the following steps:

1. Click  next to the tasks. A window appears on the screen.
2. Enter the Name of your Task
3. (Optional) Type the Description.
4. (Optional) Select any user in the Assign To field.
5. (Optional) Select a Category from the drop-down menu.
6. (Optional) Enter Start and Due Date.
7. Click SUBMIT. 

• Entities: The tangible or intangible asset from which an issue is raised, and a signal is generated, respectively, for that issue. In this tab, you can see the name, type of entity, and type of operating system that runs on that asset.

Converting Situations to ActOns

Situations can be converted into ActOns in two ways:

1. Automatically – Create an ActOn policy with conditions. When a situation meets these conditions, it is automatically converted into an ActOn. See ActOn Policies.
2. Manually – Mark a situation as an ActOn manually. See Manually Converting a Situation into an ActOn.

Regardless of whether you mark a situation as an ActOn at the domain, organization, or tenant level, it will be recognized across all three levels.

Manually Converting a Situation into an ActOn

1. Navigate to Resolutions → Situations from the left menu.
2. Click on the situation you want to convert into an ActOn.
3. The Situation page opens.
4. Click Mark As ActOn. A confirmation modal appears.
5. Click Yes to confirm. The situation with this ID will be marked as an ActOn across all three levels.

Note: Once a situation is converted into an ActOn, this action cannot be reversed.

Quick Links

• Filtering Situations
• Streams