Changing an incident status

Expand all | Collapse all

As a work item, an incident has a status that shows the current state of the incident in its life cycle.

You can change the status of your own incidents or the incidents of other analysts only if you have the access right to read and modify alerts and incidents.

If the incident status is changed manually, playbooks will not launch automatically. You can launch a playbook for such an incident manually.

An incident can have one of the following statuses:

• New

  When you create an incident or it is created automatically, the incident has the New status. You can change the status to In progress or Closed. When you change the New status to Closed and the incident has no assignee, the incident is automatically assigned to you.

• In progress

  This status means that an analyst started working on the incident or resumed the work by changing the On hold status. You can change the In progress status to any other status.

• On hold

  This status means that an analyst suspended work on the incident. Normally, you change the On hold status to In progress when the work is resumed, but you can change the On hold status to other statuses as well.

• Closed

  You close incidents when no additional work on the incident is expected. You can close an incident with one of the following resolutions:

  • True positive
  • False positive
  • Low priority

  When you close an incident, the linked alerts also gain the Closed status and inherit the resolution from the incident. If the incident has no assignee, the closed incident is automatically assigned to you. If the closed incident has unassigned linked alerts, those alerts are automatically assigned to you.

  The Closed status can only be changed to status New. If you want to return a closed incident back to work, change its status as follows: Closed → New → In progress.

To change status of one or several incidents:

1. In the main menu, go to MONITORING & REPORTING → Incidents.
2. Do one of the following:
   • Select the check boxes next to the incidents whose status you want to change.
   • Click the link with the ID of the incident whose status you want to change.

     The Incident details window opens.

3. Click the Change status button.
4. In the Change status pane, select the status to set.

   When you select the Closed status, you must select a resolution.

   If you have selected the Allow users with certain permissions only to close this incident check box when editing the Closed status in the incident workflow, you must have either Main Administrator or Approver XDR role to close the incident.

   If you change the incident status to Closed and this incident contains uncompleted playbooks or response actions, all related playbooks and response actions will be terminated.

5. Click the Save button.

The status of the selected incidents is changed.

You also can change an incident status by using playbooks.