Configuring auto-close rules

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 2 minutes de lecture

    • By configuring auto-close rules, you can automate the process of closing stale detections and findings associated with retired configuration items (CIs).

    The base system provides the following auto-close rules:
    • Assets last scanned: Detections associated with assets that haven’t been scanned within the last 90 days are transitioned to Stale state.
    • Detections last found: Detections that haven’t been found within the last 90 days. If you activate Detections last found record, then this feature requires a successful integration run of Rapid7 Comprehensive Vulnerable Item Integrations and Microsoft TVM Machine Vulnerabilities Integration (Full import) within the last seven days.

    Configuration of auto-delete rules includes the following steps.

    Create or edit auto-close rules

    Create rules to close stale detections and findings associated with retired CIs automatically.

    Avant de commencer

    Role required: See Access control lists (ACLs) for administration rules

    Procédure

    1. Navigate to Workspaces > Security Exposure Management Workspace.
    2. Select Administration in the navigation pane.
    3. Select Review on the Auto-close rules tile.
    4. On the Rules page, select Auto-close in the navigation pane.
    5. Select New and fill in the fields on the form:
      Tableau 1. Auto-close rule form
      Field Description
      Details
      Name Name of the rule.
      Table Name of the finding type for which the rule is being applied.
      Remarque :
      For vulnerable items (VITs), rules are applied to detections first, and then applied to the VITs, rather than being directly applied to the VITs.
      Description Description of the rule.
      Active Indicates whether the rule is active.
      If this condition is met
      Condition fields Filter conditions defining the records in the Findings and Remediation Task tables to which the rules apply.
      New condition set Adds more condition filter fields to choose from.
      Then do this
      Close findings automatically
      Ignored deferred items If selected, any findings or detections that are mapped to the In-review or Deferred states are ignored and not closed. If you clear this option, any findings or detections that match your criteria are closed.
    6. Select Save.

      The Auto-Close Stale Detections scheduled job runs daily. It identifies detections based on the specified conditions and transitions the matching ones to the Stale state.

      The job handles the following scenarios:

      • If all the detections within a VIT are marked as stale, the VIT is closed with the sub-state set as "Stale".
      • If there is at least one detection that remains open within a VIT, while others are in the Stale status, the VIT remains open.
      • In cases where there are detections with both "Closed" and "Stale" statuses within a VIT, the VIT is closed with the sub-state set as "Fixed".

      When you upgrade to the latest version of Unified Security Exposure Management, the conditions set in your auto-close rules also get updated accordingly. Additionally, if the rules are associated with different domains, the rules are created specifically within those domains.