Close security incidents
When a security incident has transitioned to the Review state, it’s possible to close it and enter an appropriate closure code. Closure codes can be searched on later for ease of location.
Before you begin
Role required: sn_si.write
About this task
Procedure
-
If the security incident you want to close isn’t already open, navigate to Security Incident > Incidents > Show All Incidents, and locate the security incident you want to close.
Note:If there are any post incident review assessments that haven’t been completed for this security incident, the security incident can’t be closed. Return to Security Incident > Post Incident Review > All Incomplete Reviews, locate the reviews that are incomplete, and either ask the reviewers to complete their reviews or cancel the remaining assessments.
-
Select the Closure Information tab and fill in the fields, as appropriate.
Table 1. Security incident Field Description Create knowledge article The option to create a draft knowledge base article that contains the contents of the post incident review. Close code The close code that best describes the reason you’re closing this security incident. - Investigation completed
- Threat mitigated
- Patched vulnerability
- Invalid vulnerability
- Not resolved
- False positive
Closed by Displays the user who closed the security incident after the record is updated. Closed Displays the date and time of closure after the record is updated. Close notes Additional notes that describe the outcome of closing this security incident. - Select Update.
-
The assigned user can manually change the State to
Closed.
Note:To prevent users from modifying attachments on a closed security incident, enable the
sn_si.lock_attachments_on_closuresystem property.When a parent incident is closed, all response tasks belonging to the child incident are canceled. If there are no other types of tasks, the child incident is also closed.