Close security incidents When a security incident has transitioned to the Review state, it is possible to close it and enter an appropriate closure code. Closure codes can be searched on later for ease of location. Before you beginRole required: sn_si.write About this task Note: In previous versions of Security Incident Response, users could close security incidents or requests as spam. In the Istanbul release, the spam option is no longer available. Spam security incidents or requests can be canceled or deleted, as appropriate. Procedure If the security incident you want to close is not already open, navigate to Security Incident > Incidents > Show All Incidents, and locate the security incident you want to close. Click the Closure Information tab and fill in the fields, as appropriate. Table 1. Security incident Field Description Create knowledge article Select this field to automatically create a draft knowledge base article that contains the contents of the post incident review. Close code Select the close code that best describes the reason you are closing this security incident. Investigation completed Threat mitigated Patched vulnerability Invalid vulnerability Not resolved False positive Closed by Displays the user who closed the security incident after the record is updated. Closed Displays the date and time of closure after the record is updated. Close notes Enter any additional notes that describe the outcome of closing this security incident. Click Update. The assigned user can manually change the State to Closed. When a parent incident is closed, all response tasks belonging to the child incident are canceled. If there are no other types of tasks, the child incident is also closed.