Close a security incident

  • Freigeben Version: Australia
  • Aktualisiert 12. März 2026
  • 2 Minuten Lesedauer

    • Chat with an AI agent in the Now Assist panel to help you close a security incident.

    Vorbereitungen

    Role required: sn_si.analyst or sn_si.manager

    Warum und wann dieser Vorgang ausgeführt wird

    Wichtig:
    This agentic workflow is turned on by default. For more information, see Now Assist skills, agents, and agentic workflows on by default.

    Prozedur

    1. Navigate to All > Security Incident > Security Incident Response Workspace.
    2. Open the security incident that you want to close by using the AI agent.
    3. Select the Now Assist (Now assist panel for AI agent icon.) icon.
      The Now Assist panel is displayed.
    4. Close the security incident by using one of the following options.
      OptionDescription
      Close a security incident On the Now Assist panel, ask the agent to close the security incident in natural language by entering Close this incident, Close this security incident, or Close the security incident: SIR0012345.
      Hinweis:
      • When you enter Close this incident or Close this security incident, the Now Assist panel picks the security incident in context. When you provide a specific security incident number, such as Close the security incident: SIR0012345, the agentic workflow takes action for the suggested security incident.
      • You can close any security incident from the Now Assist panel by providing the security incident number in your text.
      • When you request a security incident closure, the Close security incident agentic workflow cancels the mandatory post incident assessment, flow actions, playbook actions, workflow actions, and response tasks. However, you can close these actions manually before initiating the security incident closure request.
      The Close security incident agentic workflow provides content for each of the following fields and asks for your feedback. The agentic workflow populates your accepted feedback. After you accept the content for a field, the agentic workflow provides content for the next field.
      • Post Incident Analysis: Accept the suggested content by replying with a positive response such as looks good or Ok.

        Ask the agentic workflow to refine the content and suggest the changes you require.

      • Close notes: Accept the suggested content by replying with a positive response such as looks good or Ok.

        You can ask the agentic workflow to refine the content and you can also suggest the changes you require.

      • Close code: On the basis of the security incident details, the agentic workflow suggests a close code. You can accept the close code or suggest an alternative close code for the security incident.
      The AI agent closes the security incident.
      Hinweis:
      When a field is changed, the activity stream appends the words "AI AGENT:" with a description of the update made by the AI agent. For example, AI AGENT: Close code is updated.
      Close a security incident as false positive On the Now Assist panel, you can ask the AI agent to close the security incident as false positive. For example, Close this incident as false positive or close this security incident as false positive.

      The agentic workflow provides the summary of the security incident. To close the security incident, enter positive responses such as looks good or Ok.

      The AI agent closes the security incident. It also updates the Close notes as Closed by AI Agent as false positive and the Close code as False positive and cancels all active response tasks.