Alerts Workflow
You can assign workflow statuses to alerts and are useful to help you track progress of an alert. From the Statuses view you manage the statuses. Statuses are either preset by Proofpoint or customized for your organization with a name that will be useful in your workflow analysis.
By default, all new alerts are initially assigned the status of New. You change statuses from the Alerts view.
This feature is available on request. Contact your Proofpoint representative.
Statuses View
To access the Statuses view, from Proofpoint Data Security & Posture, select the Administration app. Select Definitions > Alerts Workflow.
Statuses view shows:
-
Name: Name of the status. This field is customizable. You can select a name that will be most useful for your organization's workflow
-
Category: Categories are predefined by Proofpoint. With customized statuses, you select the category you want.
-
Created by: Name of admin who created the status or Proofpoint.
-
Modified on: Date the Status was modified, enabled or disabled. For Proofpoint statuses, this field remains Proofpoint. For customized statuses, this field reflects who created or made a change.
-
Enabled/Disabled: When this field is enabled, the status appears as one of the dropdown options in the Alerts screen. When it is disabled it does not appear in the dropdown.
Details
For details or to edit or delete any status, click the status and the details panel opens. You cannot edit or delete Proofpoint statuses.
To edit, click Edit and to delete, select Delete from the Actions dropdown.
Creating a Customized Status
-
From the Administration application, select Definitions > Alerts Workflow.
-
In the Statuses view, click New Status .
-
From the Category dropdown, select the category you want. These are preset by Proofpoint and you must select one.
-
In the Name field, enter the name you want.
-
Click Save.
Proofpoint Preset Statuses
The table describes the workflow statuses provided by Proofpoint.
| Name | Category |
|---|---|
| Compromised |
Closed - Confirmed Compromised |
| Resolved |
Closed - Confirmed Malicious |
| Not an issue |
Closed - Confirmed Negligent (Not important) |
| False Positive | Closed - False Positive |
| On hold | Open - Blocked |
| Escalated | Open - Blocked |
| In progress | Open - In progress |
| New | Pending - New |
| Reopened | Pending - Reopened |
Filtering by Workflow Status
To filter by status Name in the Alerts or Exploration views, select Workflow > Status.
To filter by status Category in the Alerts or Exploration views, select Workflow > Disposition Category.
Is there a way to do a bulk change to the statuses?
Statuses Notes
If you used the Workflow statuses prior to this feature, they will remain associated with the alerts they were assigned to.
Statuses assigned before this feature was released appear with (Deprecated) next to the name.
Remediation Status Mapping
When a remediation action fails, the alert status is automatically updated to On Hold - Escalated to reflect the blocked state of the remediation process.
Reasons are recorded on the Remediation message field and can include:
-
A critical error occurred; remediation cannot proceed.
-
The remediation action is not supported on this application.
-
The remediation failed due to API constraints or throttling.
-
The remediation was intentionally skipped due to policy or configuration.
This ensures that alerts tied to failed remediation actions are clearly flagged and remain actionable. It also helps:
-
Prioritize unresolved issues
-
Understand root causes faster
-
Communicate status to stakeholders with clarity
The alert status will change from On Hold to Open - Blocked with any of the above remediation statuses.