Close an alert - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-01-26
Category
Administrator Guide
Abstract

You can close an alert by running the closeInvestigation command.

Once you complete your investigation, perform one of the following actions to close an alert:

  • Manually close an alert: Right-click an alert and select Change StatusResolved and select a resolution reason.

  • Automatically close an alert: Run the closeInvestigation command in the CLI, in a script, or a playbook task. You can configure this command to run as part of a flow when automating alert investigation.

The closeInvestigation command supports the closeReason and closeNotes arguments. The closeReason argument accepts a free text value; however, if the free text value doesn't match one of the defined resolution reasons the resolution_status field is set to Resolved - Other. To see a description of the resolution reasons, see Resolution reasons for incidents and alerts.

Example 55. Example of using the closeInvestigation command in the CLI

In this example, the command specifies to close the alert and set values for closeReason and closeNotes.

!closeInvestigation closeReason="Resolved - Known Issue" closeNotes= "Mitigated"

Example 56. Example of using the closeInvestigation command in a playbook

In this example, the closeInvestigation command is used in a playbook and values are set for closeReason and closeNotes.

closeInvestigation_playbook_example.png

Example 57. Example of using a variable in the closeReason field

In this example the close reason field specifies the ${tmpCloseReason} variable value. The tmpCloseReason key was added to the alert context data, and the value is drawn from this field.

  1. Add the tmpCloseReason key and set the value, run the following command in the alert War Room:

    !Set key=tmpCloseReason value="Resolved - True Positive"
  2. Create a task in your playbook for the closeInvestigation command and set the closeReason field to ${tmpCloseReason}.

    closeInvestigation_playbook_example2.png

    When the playbook runs, it draws the value from this field in the context data:

    tmpCloseReason_context_data.png