You can close an alert by running the closeInvestigation command.
Once you complete your investigation, perform one of the following actions to close an alert:
Manually close an alert: Right-click an alert and select → and select a resolution reason.
Automatically close an alert: Run the
closeInvestigationcommand in the CLI, in a script, or a playbook task. You can configure this command to run as part of a flow when automating alert investigation.
The closeInvestigation command supports the closeReason and closeNotes arguments. The closeReason argument accepts a free text value; however, if the free text value doesn't match one of the defined resolution reasons the resolution_status field is set to Resolved - Other. To see a description of the resolution reasons, see Resolution reasons for incidents and alerts.
Note
When an alert is resolved it remains linked to an incident. Once all of the alerts in an incident are resolved, the incident is automatically closed.
In this example, the command specifies to close the alert and set values for closeReason and closeNotes.
!closeInvestigation closeReason="Resolved - Known Issue" closeNotes= "Mitigated"
In this example, the closeInvestigation command is used in a playbook and values are set for closeReason and closeNotes.
In this example the close reason field specifies the ${tmpCloseReason} variable value. The tmpCloseReason key was added to the alert context data, and the value is drawn from this field.
Add the
tmpCloseReasonkey and set the value, run the following command in the alert War Room:!Set key=tmpCloseReason value="Resolved - True Positive"
Create a task in your playbook for the closeInvestigation command and set the closeReason field to
${tmpCloseReason}.When the playbook runs, it draws the value from this field in the context data: