- Get Started with Threat Center
- Threat Center
- Threat Center Permissions
- Threat Center Alerts: Read
- Threat Center Alerts: Read, Write, and Delete
- Threat Center Cases: Read
- Threat Center Cases: Read, Write, and Delete
- Threat Center Detection Grouping Rules: Read
- Threat Center Detection Grouping Rules: Read, Write, and Delete
- Threat Center Watchlist: Read
- Threat Center Watchlist: Read, Write, and Delete
- Threat Center Cases
- Threat Center Alerts
- Threat Center Detections
- Threat Center Risk Score
- Monitor Entities of Interest in Threat Center
- Group Detections
- Work on Cases
- Work on Alerts
- Edit and Collaborate in Threat Center
- Use Automation Tools in Threat Center
- Find Cases and Alerts
- Sort Cases or Alerts
- Filter Cases or Alerts
- Search for Cases or Alerts in Threat Center
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- View Case and Alert Metrics
- Get Notified About Threat Center
- Threat Center APIs
Close Cases
When work has finished on cases, change the case stage to closed.
You can only close a case whose case stage is not already Closed.
In the Cases tab, select cases to close:
To close all cases shown, select the checkbox in the header row, then click Close.
To close multiple cases, select the checkbox for the cases you're closing, then click Close.
To close a single case:
Select the checkbox for a case, then click Close.
Select the case, then under Stage, select Closed.
In Select a reason, select the reason why you're closing the case:
Already mitigated/resolved – The threat has been addressed or resolved.
False positive or duplicate – The threat was mistakenly identified as a threat and is actually normal, non-malicious activity.
Low risk – The threat is insignificant or unlikely to harm the system or data.
Rule misconfiguration – Monitoring or detection content was misconfigured.
Policy or setup issue – The activity described in the case occurred because of known operations in your environment, like scheduled maintenance, authorized testing, or temporary workarounds.
Other – Enter a custom reason for why you're closing the case in the text box. You can enter up to 600 characters. To better communicate your message, you can also format the text.
Click Confirm.
In the case Overview tab, review the reason why the case was closed, the queue and assignee assigned to the case when it was closed, and the date and time the case was closed under Case Closed.