Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Close security incidents

Log in to subscribe to topics and get notified when content changes.

Close security incidents

When a security incident has transitioned to the Review state, it is possible to close it and enter an appropriate closure code. Closure codes can be searched on later for ease of location.

Before you begin

Role required: sn_si.write

About this task

Note: In previous versions of Security Incident Response, users could close security incidents or requests as spam. In the Istanbul release, the spam option is no longer available. Spam security incidents or requests can be canceled or deleted, as appropriate.


  1. If the security incident you want to close is not already open, navigate to Security Incident > Incidents > Show All Incidents, and locate the security incident you want to close.
    Note: If there are any post incident review assessments that have not been completed for this security incident, the security incident cannot be closed. Return to Security Incident > Post Incident Review > All Incomplete Reviews, locate the reviews that are incomplete, and either ask the reviewers to complete their reviews or cancel the remaining assessments.
  2. Click the Closure Information tab and fill in the fields, as appropriate.
    Table 1. Security incident
    Field Description
    Create knowledge article Select this field to automatically create a draft knowledge base article that contains the contents of the post incident review.
    Close code Select the close code that best describes the reason you are closing this security incident.
    • Investigation completed
    • Threat mitigated
    • Patched vulnerability
    • Invalid vulnerability
    • Not resolved
    • False positive
    Closed by Displays the user who closed the security incident after the record is updated.
    Closed Displays the date and time of closure after the record is updated.
    Close notes Enter any additional notes that describe the outcome of closing this security incident.
  3. Click Update.
  4. The assigned user can manually change the State to Closed.
    When a parent incident is closed, all response tasks belonging to the child incident are canceled. If there are no other types of tasks, the child incident is also closed.