Blumira Resolutions
Overview
Resolutions are the final disposition applied to findings when closing them. Choosing the correct resolution type is critical for accurate security metrics, detection tuning, and compliance reporting.
Key Concepts
Resolution Types
| Code | Label | Description | When to Use |
|---|---|---|---|
| 10 | Valid | Confirmed real threat | The finding represents a genuine security event. Action was taken (blocked, remediated, etc.) |
| 20 | Not Applicable | Doesn't apply | The detection is correct but irrelevant to this environment (e.g., policy doesn't apply to test lab) |
| 30 | False Positive | Incorrect detection | The detection fired incorrectly — the activity was benign |
Impact on Metrics
- Valid resolutions count toward your confirmed threat statistics
- False Positive resolutions feed back into detection tuning — high FP rates indicate rules that need adjustment
- Not Applicable resolutions help identify rules to disable for specific environments
API Patterns
List Available Resolutions
blumira_resolutions_list
Returns all resolution types with their codes, labels, and descriptions.
Resolve a Finding
blumira_findings_resolve
finding_id=<UUID>
resolution_type=10
notes="Confirmed credential stuffing attack from IP 203.0.113.50. Account locked, password reset forced."
MSP Finding Resolution
blumira_msp_findings_resolve
account_id=<UUID>
finding_id=<UUID>
resolution_type=30
notes="False positive - scheduled backup job triggers this detection. Added to allowlist."
Common Workflows
Choosing the Right Resolution
-
Is the detected activity real?
- Yes → Was it malicious or a policy violation? → Valid (10)
- Yes → But it's expected/allowed in this environment → Not Applicable (20)
- No → The detection was wrong → False Positive (30)
-
Always include detailed notes explaining the decision
-
For False Positives, note what the activity actually was to help with tuning
Bulk Resolution of False Positives
blumira_findings_listfiltered by the specific detection rule- Review a sample to confirm all are false positives
- Resolve each with resolution type 30 and consistent notes
- Consider requesting a rule tuning in the Blumira portal
Error Handling
Invalid Resolution Type
Cause: Resolution code is not 10, 20, or 30
Solution: Use blumira_resolutions_list to confirm valid codes.
Missing Notes
Cause: Some resolution workflows may require notes Solution: Always provide descriptive notes for audit trail purposes.
Best Practices
- Always provide detailed notes — they're the audit trail for compliance
- Track false positive rates by detection rule to identify tuning opportunities
- Use "Not Applicable" instead of "False Positive" when the detection is correct but the policy doesn't apply
- Review resolution statistics regularly to improve detection quality
- For MSP accounts, maintain consistent resolution standards across tenants