When a security incident has transitioned to the Review state, it is possible to
close it and enter an appropriate closure code. Closure codes can be searched on later for
ease of location.
Before you begin
Role required: sn_si.write
About this task
Note: In previous versions of Security Incident Response,
users could close security incidents or requests as spam. In the Istanbul release, the spam
option is no longer available. Spam security incidents or requests can be canceled
or deleted, as appropriate.
Procedure
-
If the security incident you want to close is not already open, navigate to , and locate the security incident you want to close.
Note: If there are any
post
incident review assessments that have not been completed for this security
incident, the security incident cannot be closed. Return to , locate the reviews that are incomplete, and either ask the
reviewers to complete their reviews or cancel the remaining
assessments.
-
Click the Closure Information tab and fill in the
fields, as appropriate.
Table 1. Security incident
| Field |
Description |
| Create knowledge article |
Select this field to automatically create a draft
knowledge base article that contains the contents of the
post incident review. |
| Close code |
Select the close code that best describes the reason
you are closing this security incident.
- Investigation completed
- Threat mitigated
- Patched vulnerability
- Invalid vulnerability
- Not resolved
- False positive
|
| Closed by |
Displays the user who closed the security incident
after the record is updated. |
| Closed |
Displays the date and time of closure after the
record is updated. |
| Close notes |
Enter any additional notes that describe the outcome
of closing this security incident. |
-
Click Update.
-
The assigned user can manually change the State to
Closed.
When a parent incident is closed, all response tasks belonging to the
child incident are canceled. If there are no other types of tasks, the child
incident is also closed.