The Workflow column displays the status of the alert.

You can change the workflow of an alert to Open, Closed, or In Progress.

When closing or opening an alert an alert, you can automatically close or open the alert on all devices in the future.

Important: The Automatically close all future alerts with this threat ID option is based on the threat ID, which is available by using the Alerts API. The threat ID definition varies slightly across CB Analytics, Watchlists, USB Device Control, Host-Based Firewall, Containers Runtime, and Intrusion Detection System alert types:
  • CB Analytics: Combination of the primary threat actor (usually the SHA-256 hash of the threat actor) and the alert reason that is derived by the Endpoint Standard Analytics engine.
  • Watchlists: The report that triggered the Watchlist hit.
  • USB Device Control: Represents a unique USB device.
  • Host-Based Firewall: Alerts with the same host-based firewall rule and direction.
  • Containers Runtime: Alerts in the same cluster and namespace with the same policy and rule.
  • IDS: Alerts with the same process and IDS signature or rule.

If an alert is flagged for dismissal, any future alerts that contain the same threat ID are dismissed.

Note: Alerts can present different SHA-256 hashes. To close or open an alert on multiple devices, the hash of the object must be the same.