Risk State and Status lifecycles

Generally, the State of a risk is manually set by the Risk Dashboard administrator and the Status of a state is automatically set by the system based on certain conditions. But, the system automatically sets the State of a risk to Unsuccessful Validation if the State was previously Fixed, Waiting Validation and then the risk was detected again during the next scan.

The lifecycle of the risk State and Status is different depending on the Source that discovered the risk:

Tip:

For all three risk sources, you can remove the risk from the list of actionable risks and from the risk calculation by changing the State to Accepted or False Positive.

See Risk states and Risk statuses for more information.

Risks discovered using Arctic Wolf Agent

When Arctic Wolf® Agent discovers a risk, the risk Source is Agent. Each newly discovered risk has a State of Open and a Status of Active. During the next monthly scan:

  • If the risk is not found — The Status automatically changes to Mitigated. The State remains as Open, even though the risk is mitigated because this value is manually set.
  • If the risk is found — The Status automatically changes to Active. The State remains as Open.
  • If the next scan does not occur for 45 days — The Status automatically changes to Obsolete and the risk is removed from the list of actionable risks and from the risk calculation.
    Note:

    After seven days, Obsolete risks are removed.

Risks discovered using EVA scanning

When a risk is discovered using EVA scanning, the risk Source is EVA. Each newly discovered risk has a State of Open and a Status of Active. During the next monthly scan, if the risk is no longer found, the Status automatically changes to Mitigated. The State remains as Open, even though the risk is mitigated because this value is manually set.

Risks discovered using IVA scanning

When a risk is discovered using IVA scanning, the risk Source is IVA. Each newly discovered risk has a Status of either:

  • Active — The risk was detected in the previous scan and is online.
  • Inactive — The risk was not detected during the previous scan, or the risk exists on an asset that is considered to be offline because it has not been detected for 24 hours. The risk remains as Inactive for 90 days unless the risk is detected again, or the device comes back online. After 90 days, if the risk is not detected, the Status automatically changes to Mitigated. After 90 days of the risk being offline, the risk Status automatically changes to Obsolete. In both cases, the risk is removed from the default actionable risk view and from the risk score calculation.
    Note:
    • Inactive is a Status used only for IVA risks.
    • After seven days, Obsolete risks are removed.

    This diagram shows the lifecycle of mitigated risks that were discovered by an IVA:

    lifecycle diagram of IVA-discovered mitigated risks

    This diagram shows the lifecycle of offline assets that were discovered by an IVA:

    lifecycle diagram of IVA-discovered offline assets