Close security incidents

When a security incident has transitioned to the Review state, it is possible to close it and enter an appropriate closure code. Closure codes can be searched on later for ease of location.

Before you begin

Role required: sn_si.write


  1. Navigate to Security Incident > Incidents > Show All Incidents, and locate the security incident you want to close.
    Note: If there are any post incident review assessments that have not been completed for this security incident, the security incident cannot be closed. Return to Security Incident > Post Incident Review > All Incomplete Reviews, locate the reviews that are incomplete, and either ask the reviewers to complete their reviews or cancel the remaining assessments.
  2. Click the Closure Information tab and fill in the fields, as appropriate.
    Table 1. Security incident
    Field Description
    Create knowledge article Select this to automatically create a draft knowledge base article that contains the contents of the post incident review.
    Close code Select the close code that best describes the reason you are closing this security incident.
    • Investigation completed
    • Threat mitigated
    • Patched vulnerability
    • Invalid vulnerability
    • Not resolved
    • False positive
    Closed by Displays the user who closed the security incident after the record is updated.
    Closed Displays the date and time of closure after the record is updated.
    Close notes Enter any additional notes that describe the outcome of closing this security incident.
  3. Click Update.
  4. The assigned user can manually change the State to Closed.