Close an investigation - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-15
Category
Administrator Guide
Abstract

Learn how to close an existing investigation from the Forensic Investigation page.

From the list of ongoing investigations, you can close an investigation.

Note

When you close an investigation, it waits 24 hours before deleting any collections associated with that investigation. During that timeframe, you have the option to cancel the close investigation action.

  1. From the Forensic Investigations table, right-click an investigation and select Close.

  2. In the Close Investigation widget, all evidence collections exported for the investigation are shown. Click Close Investigation, to start closing investigation process.

  3. In the Forensic Investigation table, the status is changed to Close Pending, with the timestamp when the investigation expires and all the data associated with the investigation gets deleted.

  4. Right-click the investigation to activate one of the options:

    • Edit: Enables you to update the investigation name, description, or adjust user permissions.

    • Open: After selecting open, the close request is cancelled.

    • Permanently delete: The investigation and all the associated data is deleted immediately and can't be cancelled.