Skip to main content

Threat CenterThreat Center Guide

Close Cases

When work has finished on cases, change the case stage to closed.

You can only close a case whose case stage is not already Closed.

  1. In the Cases tab, select cases to close:

    • To close all cases shown, select the checkbox in the header row, then click Close.

      All cases selected and the delete action highlighted in a red rectangle.
    • To close multiple cases, select the checkbox for the cases you're closing, then click Close.

      Three cases selected and the delete action highlighted in a red rectangle.
    • To close a single case:

      • Select the checkbox for a case, then click Close.

        threatcenter-cases-selectone-close.png
      • Select the case, then under Stage, select Closed.

        The stage menu opened in a case.
  2. In Select a reason, select the reason why you're closing the case:

    • Already mitigated/resolved – The threat has been addressed or resolved.

    • False positive or duplicate – The threat was mistakenly identified as a threat and is actually normal, non-malicious activity.

    • Low risk – The threat is insignificant or unlikely to harm the system or data.

    • Rule misconfiguration – Monitoring or detection content was misconfigured.

    • Policy or setup issue – The activity described in the case occurred because of known operations in your environment, like scheduled maintenance, authorized testing, or temporary workarounds.

    • Other – Enter a custom reason for why you're closing the case in the text box. You can enter up to 600 characters. To better communicate your message, you can also format the text.

  3. Click Confirm.

    In the case Overview tab, review the reason why the case was closed, the queue and assignee assigned to the case when it was closed, and the date and time the case was closed under Case Closed.