You can close an alert by running the closeInvestigation
command.
Once you complete your investigation, perform one of the following actions to close an alert:
Manually close an alert: Right-click an alert and select → and select a resolution reason.
Automatically close an alert: Run the
closeInvestigation
command in the CLI, in a script, or a playbook task. You can configure this command to run as part of a flow when automating alert investigation.
The closeInvestigation
command supports the closeReason
and closeNotes
arguments. The closeReason
argument accepts a free text value; however, if the free text value doesn't match one of the defined resolution reasons the resolution_status
field is set to Resolved - Other
. To see a description of the resolution reasons, see Resolution reasons for incidents and alerts.
In this example, the command specifies to close the alert and set values for closeReason
and closeNotes
.
!closeInvestigation closeReason="Resolved - Known Issue" closeNotes= "Mitigated"
In this example, the closeInvestigation
command is used in a playbook and values are set for closeReason
and closeNotes
.
In this example the close reason field specifies the ${tmpCloseReason}
variable value. The tmpCloseReason
key was added to the alert context data, and the value is drawn from this field.
Add the
tmpCloseReason
key and set the value, run the following command in the alert War Room:!Set key=tmpCloseReason value="Resolved - True Positive"
Create a task in your playbook for the closeInvestigation command and set the closeReason field to
${tmpCloseReason}
.When the playbook runs, it draws the value from this field in the context data: