Is it possible to reopen a Security Incident Response (SIR) record?

jorgevargas · 2 hours ago

Hi community, I wanted to ask whether anyone has experience reopening a Security Incident Response (SIR) record and if so, how you approached it.

I'm currently working on a UI Action to handle this, but even when I attempt to change the state programmatically, the SIR doesn't actually reopen. The state field seems to update, but the record doesn't behave as expected after the change.

Has anyone run into this before? Any tips, workarounds, or things I might be missing would be greatly appreciated. Thanks in advance!

mujeebqasimi · an hour ago

It’s not that the record is still “closed” behind the scenes, the state field does change.

The issue is that SIR has lifecycle logic tied to closure (flows, BRs, tasks, UI policies), and changing the state alone doesn’t undo any of that. So you end up with a record in an open state, but with all the closure side effects still applied. So if you are creating any UI action it should handle that logic, not just flipping the field.

AlecBrouillette · an hour ago

From a product and tech debt point of view it is not recommended to re-open tickets. Like Mujeebqasimi responded you will need to evaluate and handle each case of the SIR Incident closure logic to make sure it is re-opening correctly.

Generally, I try to have the business users address this through business process changes such as creating another security incident to then link to the original one that was closed prematurely.