Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Remediate CSPM Policy Incidents

  1. Last updated
  2. Save as PDF

Auto Remediation

Skyhigh CASB allows you to automatically remediate all incidents that are triggered when an IaaS Cloud Service Provider's Configuration policy is violated. To configure auto remediation for AWS, Azure, and GCP incidents using the Configuration Audit policy, see:

Skyhigh CASB scans every 24 hours, so incident data is updated daily. 

The following incident states support auto-remediation:

  • Archived. An incident is marked Archived if it is no longer valid. This could happen if the entity that triggered the violation (such as a user) is deleted from the Service Provider.
  • Escalated. An incident is marked Escalated when it is moved to the next level of review. 
  • False Positive. When an incident is manually changed to False Positive status, it remains in that status even if a new scan detects the same violation.
  • New. When an incident is detected for the first time during a scan, it is marked as a New incident.
  • Open. An incident is marked as Open when it is resolved on the dashboard but is found again in the scan.
  • Pending. An incident is marked Pending when it is pending review. 
  • Resolved. Incidents are marked Resolved if the configuration that caused the incident is resolved by a member of your team.
  • Suppressed: When an incident is manually set to Suppressed status, it remains in that status even if a new scan detects the same violation.

NOTE: Suppressed is not listed in the UI, but you can search for it in the Omnibar.

  • Suspended. If the incident is suspended, it is marked as Suspended.  
  • Under Investigation. An incident is marked Under Investigation when it is being actively reviewed. 
  • Viewed. An incident is marked Viewed when it has been viewed for review, but not otherwise categorized. 

Manual Remediation 

You can remediate the AWS, Azure, and GCP incidents manually. As an example, we have outlined how to remediate AWS incidents manually.

You can remediate the AWS policy incidents manually. When AWS policy incidents are generated, you can view the incidents and the recommended remediation steps in Skyhigh CASB. 

To view AWS incident manual remediation steps:

  1. Go to Incidents > Policy Incidents.
  2. Find the incident and click the row to show the Cloud Card. 
  3. Follow the steps displayed under What you can do. policy incident.png

Refresh AWS Incidents

The refresh feature is used to view the most recent AWS violations on the Policy Incidents page. You can use this feature to refresh an AWS incident in real-time. You can also refresh incidents created from Custom Configuration Audit policies. 

  1. Go to Incidents > Policy Incidents.
  2. Filter for Incident Type > Audit Violation, and Service Name > AWS
  3. Click any incident in the table to view the Cloud Card for the specific incident.
  4. On the Cloud Card, click Refresh.
    clipboard_e81dc7bd0fabc63d293c6283ada430409.png
  5. A status message is displayed on the Cloud Card as the account is rescanned.
    clipboard_efad87eaac99ea4218256ad557f98670a.pngAny updates to the violation are displayed once the scan is complete.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.