Close multiple security incidents

  • Release version: Xanadu
  • Updated June 23, 2025
  • 1 minute to read

    • Close multiple security incidents at the same time to avoid having to close related incidents individually, such as incidents created with a common root cause or false positive incidents.

    Before you begin

    Role required: sn_si.analyst

    Procedure

    1. Navigate to Workspaces > Security Incident Response Workspace.
    2. Select the Security Incidents icon .
    3. In the Lists tab, select Security Incidents > All Open.
    4. Select one or more security incidents to close and select Close.
      The Bulk Close the security incidents window displays links to access lists of the security incidents selected to be closed.
      • If at least one selected security incident has pending activities such as active tasks, playbooks, child SIs, assessments, or active flows, the Security incidents with active tasks, playbooks, child SIs, assessments and active flows link is displayed.
      • If at least one security incident selected for closing has no pending closing activities, the Security incidents ready to be closed link is displayed.

      Close multiple security incidents

      Any active pending active tasks, playbooks, child SIs, assessments, and active flows will automatically be closed when you proceed with the bulk closure.

    5. Optional: If you're not sure whether active items for incidents should be closed, review the security incidents with active items.
      1. Select the Security incidents with active tasks, playbooks, child SIs, assessments and active flows link.
      2. Open the security incident you want to review.
      3. If any changes are necessary, make them and select Save.
      4. Close the incident tab.
      5. Select Take me back.
    6. Select next.
    7. In the Close Code field, select the applicable close code.
      The available close codes are:
      • Investigation completed
      • Threat mitigated
      • Patched vulnerability
      • Invalid vulnerability
      • Not resolved
      • False positive
    8. In the Close notes field, enter any notes.
    9. Select Bulk Close.

    Result

    The incident closing activity runs in the background.