What is an Incident?
The Aperture service identifies and sets the state and category for each incident discovered during the scanning of your assets.
An incident is a record you can use to track a policy violation in a managed SaaS application. The Aperture service identifies incidents when it finds a violation of Asset rules or Security Control rules against default policy rules and any custom rules you have defined. It detects these incidents by scanning all assets in your managed SaaS applications and matching the file and folder metadata, associated collaborators, and the content of the files against your active policy rules or the configuration.
For each incident, you can determine whether it indicates a regulatory non-compliance, or if it compromises the security of your proprietary data or intellectual property.
Some examples of incidents include:
- AWS keys that have not been rotated in 3 months.
- Files WildFire has classified as malware.
- Passwords that do not meet the minimum complexity requirements.
- A document or folder containing sensitive data (such as credit card or social security numbers, secret code names, or source code) and has been shared with an external user or contains a public link.
- Assets users have shared with external domains or collaborators or are directly accessible through a public link or vanity URL.
- Forwarding a corporate email containing sensitive data to a personal email domain.
The Aperture service provides the following default Open and Closed categories:
The Aperture service automatically assigns all incidents as New and need assessment. You cannot manually assign an incident from another state to New.
Assigned to another administrator. To Assign Incidents to Another Administrator, select an admin from Assigned To.
In Progress, but not closed. The assigned administrator is actively working to assess and resolve the incident.
Pending action to take place before you can assess or investigate the incident.
No Reason found for the reported incident.
Business Justified for incidents such as testing, Aperture tool demonstrations, and training.
Misidentified as a data pattern match or policy violation.
Automatic Remediation resolved this incident In the Cloud. You cannot manually assign an incident from another state to In The Cloud.
See Assess New Incidents for information on how to review and resolve these issues.
Customize the Incident Categories
Add custom incident categories for Open or Closed states to help filter incidents and track changes. ...
Assess Incidents When you first add a new SaaS application, the Aperture service goes through a discovery phase where it compares the enabled data patterns ...
Assess New Incidents
The Aperture service compiles a summary all incidents to be assessed and addressed by further investigation or closure. ...
Close one incident at a time or use Bulk Incident to close multiple incidents at once on Aperture. ...
Modify Incident Status
Use Aperture to update the investigation status of an incident after being identified. ...
Assign Incidents to Another Administrator
Use Bulk Incident to assign a group of incidents to another Aperture administrator or assign incidents individually. ...
Use Advanced Search
Use Advanced Search To perform an advanced search: Show the assets. Select Explore Assets . Select Advanced to start an advanced search. Create your Use ...
Security Controls Incident Details
Security Controls Incident Details The Aperture service scans and analyzes email assets, settings, and user behavior and applies Security Control policies to identify exposures, risky ...
Remediate Issues The Palo Alto Networks® Aperture™ service provides detailed information about the incidents it detects as it scans assets in your managed SaaS applications. ...