Security Incident Closure workflow
Close the security incident by updating the incident state.
Before you begin
Role required: sn_si.analyst
Procedure
-
Perform the closing activities.
This is a mandatory step to review any task before closing a security incident. Any response tasks must be reviewed by the analyst and closed or canceled before closing as security incident. When the Analyst clicks on Review active tasks, it takes the user to the Response Tasks tab. A session message is displayed prompting that you are in the process of closing a security incident. Click continue.
- Click Continue. The first step – review active tasks in closing the security incident is complete.
Figure 1. Reviewing closure tasks - Move to the next step to review the active playbooks for the analyst to review, which is an optional step. You can click the link to review the active playbook task and close them as required. Note:Any active workflow(s), playbook activities, and flows will be automatically cancelled on closure of the security incident.
Figure 2. Review playbook tasks - Post-incident review report: You will now be moved to review the post-incident activities to proceed further with the closure. If the assessment is optional then skip the step or if the assessment is mandatory then
take the assessment and complete it.
Figure 3. Review/Take assessment - Configure/preview report: This is again an optional step, click the link to review report and proceed to Next step.
- Provide Resolution details: The analyst can select the check box to create knowledge articles automatically.
- Provide the Closure code, Closure notes and click Close incident.
Note:By any chance if the analyst cancels the Close the security incident dialogue box, then the analyst can navigate to the Details tab and change the incident state to close to continue with the closure.