Close security incidents

When a security incident has transitioned to the Review state, it is possible to close it and enter an appropriate closure code. Closure codes can be searched on later for ease of location.

Before you begin

Role required: sn_si.write

Procedure

  1. If the security incident you want to close is not already open, navigate to Security Incident > Incidents > Show All Incidents, and locate the security incident you want to close.
  2. Click the Closure Information tab and fill in the fields, as appropriate.
    Table 1. Security incident
    Field Description
    Create knowledge article Select this to automatically create a draft knowledge base article that contains the contents of the post incident review.
    Close code Select the close code that best describes the reason you are closing this security incident.
    • Investigation completed
    • Threat mitigated
    • Patched vulnerability
    • Invalid vulnerability
    • Not resolved
    • False positive
    Closed by Displays the user who closed the security incident after the record is updated.
    Closed Displays the date and time of closure after the record is updated.
    Close notes Enter any additional notes that describe the outcome of closing this security incident.
  3. Click Update.
  4. The assigned user can manually change the State to Closed.