There are numerous ways to respond to a security alert. The action you take depends of the remediation requirements of the situation:

From the Alerts and Alert Details pages, you can assign a security alert to one or more people for investigation. When you select an alert on AlertsSecurity AlertsAll Alerts, a set of actions appears at the top of the alerts table.

To assign an alert to someone to investigate, click MoreAssign. Enter an email address and comment and then Assign.

You can also assign an alert occurrence to someone from the Alert Details page (AlertsSecurity AlertsAll Alertsalert_title) by clicking ActionAssign.

You can also add notes to an alert, which is a convenient way for you and your team to track the progress of investigations of high-level alerts. From the Alerts page, select an alert and then click MoreAdd notes. From the Alert Details page, click ActionAdd Notes. The notes appear in the Alert Events list on the Alert Details page.

You resolve a security alert either by accepting it or by addressing the issue in some way, perhaps by assigning it to a network security administrator to investigate and fix.

The Resolve tool is useful for showing how many alerts got resolved in weekly or monthly reports.

If you consider one or more alerts acceptable, such as one at a low severity level, you can resolve them. It is not necessary to resolve each alert occurrence individually. You can select the check box next to the alert group names and then click Resolve at the top of the Alerts list.

After clicking Resolve, the Resolve Alert dialog box appears. Select the reason for resolving it, add a comment, and then Resolve.

If you later decide to reactivate one or more alerts that were previously marked as resolved, you can do so by setting the filter above the Alerts list to Resolved, selecting the alerts, and then clicking Unresolve . In the Change Status dialog box, enter a comment and then click Change.

If IoT Security raises a security alert for an expected event, you can suppress future occurrences of the alert so no further resources need be expended on them. You can suppress future alert detections for just the device on which the alert was triggered or for all devices sharing the same device profile, category, or device type. You can suppress the alert indefinitely or for a limited length of time. In addition to suppressing future alert detections, you can also mark the current alert event as resolved.

To suppress an alert, log in to IoT Security as a user with administrator or owner privileges and select AlertsSecurity AlertsAll Alerts. Select the alert that you want to suppress and then click MoreSuppress Alerts.

You can select multiple alert instances if they are the same type of alert (with the same alert name). When different alert types are selected, the Suppress option becomes unavailable.

To suppress all future alert detections for the device or devices on which the alert was triggered, add a comment, leave Resolve this alert selected, and then click Save.

To suppress future alert detections on additional devices as well as this particular device, expand Suppression Rule, choose one or more attributes in one or more of the Tag, Category, Profile, and Device Type fields, set the length of alert suppression, add a comment, and then click Save. Cortex XSOAR will suppress future alerts occurring on devices matching any of the chosen attributes for the length of time specified.

After you create a suppression rule, it takes IoT Security approximately 30 minutes to apply it throughout the system to all the devices in your inventory. IoT Security also adds it to the rule table at AlertsSecurity AlertsSuppression Rules.

Clicking a rule name opens the Suppress Alert configuration panel where you can view and edit details. The Status column indicates two states. A rule is "In process" during the initial 30-minute application period after it’s been created or modified. After that, the status changes to "Success" indicating that IoT Security has applied the rule to all the targeted devices in its inventory.

After you create a rule, you can always modify it to include additional devices by modifying the rule to encompass a wider range of devices. In fact, IoT Security prompts you to do this whenever you are about to suppress an alert on a device and there’s already a suppression rule for this type of alert but it just doesn’t apply to this particular device. It displays an information icon, which expands into a pop-up message when you hover your cursor over it.

To add just this device to the existing rule, optionally add a comment and leave Resolve this alert selected, and then click Save. To apply the suppression rule to this device and others like it, expand View targeted devices, modify the original rule to include the profile, category, or device type that would make it apply to this and similar devices, and then click Save.

To stop alert suppression, log in to IoT Security as a user with administrator or owner privileges and select AlertsSecurity AlertsSuppression Rules. Select one or more rows in the table and then click Release Suppression.

Because vulnerability scanners generate traffic that triggers lots of alerts, you most likely want to suppress alerts for them. If you have an IoT Security Third-party Integrations Add-on license or a full-featured Cortex XSOAR server, you might have integrated IoT Security through Cortex XSOAR with Qualys, Rapid7, or Tenable vulnerability scanners. If so, IoT Security automatically imports the names and IP addresses of all scan engines, and the names of all sites and vulnerability scan templates from the integrated product and adds them to the list of scanners on SettingsScanners. The Source column indicates that a scanner was automatically imported by displaying the integration product name: Qualys, Rapid7, or Tenable. If you don't want to automatically import this information to the scanners list, disable Automatically Synchronize Scanners with IoT Security in one of the following Cortex XSOAR jobs, depending on which integration you're using: PANW IoT Get Qualys Scanners and Profiles, PANW IoT Get Rapid7 Scanners and Profiles, or PANW IoT Get Tenable Scanners and Profiles. Disabling this setting doesn't automatically remove previously imported scanners from the list in the IoT Security portal. You must remove them manually by selecting them in the list, clicking Remove from Scanner List, and then clicking Continue at the prompt.

If you want to suppress alerts triggered by vulnerability scanners that are on your network but not integrated with IoT Security, create a list of scanner IP addresses and upload it to IoT Security. Click SettingsScanners, click Add Scanners, and then download a CSV template.

For each scanner, add its IP address and optionally its MAC address and a comment.

Upload the file to IoT Security. If IP addresses in the CSV file match those in the device inventory, IoT Security adds them to the scanner list and begins to suppress alerts for them. (It can take up to an hour after the upload for alert suppression to begin.) The Source column in the Scanners table indicates that a scanner was manually uploaded by displaying User. If IP addresses are new to IoT Security, it adds them to the scanner list and it adds them to the inventory as scanners after detecting network traffic for them. If there are duplicate entries, IoT Security skips them during the upload process. Finally, if there’s a mismatch between the IP-and-MAC-address pairing for an uploaded scanner and the pairing for a device in its inventory, IoT Security does not upload it.