What is an Incident?

Prisma SaaS identifies and sets the state and category for each incident discovered during the scanning of your assets.
An incident is a record you can use to track a policy violation in a managed SaaS application. Prisma SaaS identifies incidents when it finds a violation of Asset rules or Security Control rules against default policy rules and any custom rules you have defined. The service detects these incidents by scanning all assets in your managed SaaS applications and matches the file and folder metadata, associated collaborators, and the content of the files against your active policy rules or the configuration.
For each incident, you can determine whether it indicates a regulatory non-compliance, or if it compromises the security of your proprietary data or intellectual property.
Some examples of incidents include:
  • AWS keys that have not been rotated in 3 months.
  • Files WildFire has classified as malware.
  • Passwords that do not meet the minimum complexity requirements.
  • A document or folder containing sensitive data (such as credit card or social security numbers, secret code names, or source code) shared with an external user or contains a public link.
  • Assets users have shared with external domains or collaborators or are directly accessible through a public link or vanity URL.
  • Forwarding a corporate email containing sensitive data to a personal email domain.
Prisma SaaS provides the following default
Open
and
Closed
categories:
You cannot delete, or rename default or custom categories.
Incident State
Incident Category
Open
Prisma SaaS automatically assigns all incidents as
New
and needs assessment. You cannot manually assign an incident from another state to New.
The incident has been
Assigned
to another administrator. To Assign Incidents to Another Administrator, select an admin from
Assigned To
.
The incident investigation is
In Progress
, but not closed. The assigned administrator is actively working to assess and resolve the incident.
Pending
action to take place before you can assess, investigate, or remediate the incident. Action can be information from an asset owner or a dependency on another stakeholder in your organization.
Closed
No Reason
found for the reported incident.
Business Justified
for incidents such as testing, any Prisma SaaS demonstrations, and training.
Misidentified
as a data pattern match or policy violation.
Automatic Remediation resolved this incident
In the Cloud
. You cannot manually assign an incident from another state to
In The Cloud
.
See Assess New Incidents for information on how to review and resolve these issues.

Recommended For You