Close an Investigation
Upon completing an investigation, you should close it using one of the available closed statuses.
Important
If you are a Secureworks® Taegis™ ManagedXDR subscriber, the ManagedXDR Dashboard relies on investigations being closed for proper statistic calculation.
| Status | Description |
|---|---|
| Closed: Confirmed Security Incident | Your organization’s systems or data have been compromised or measures put in place to protect them have failed. The investigation is completed. |
| Closed: Authorized Activity | The activity is authorized or expected. The investigation is completed. |
| Closed: Threat Mitigated | The threat associated with the security incident has already been mitigated by a security control. The investigation is completed. |
| Closed: Not Vulnerable | The targeted system is not vulnerable to the exploit in question and therefore the investigation does not constitute a security incident. The investigation is completed. |
| Closed: False Positive Alert | The activity the alert indicated did not occur. This is not a security incident, so the investigation is closed as a false positive. |
| Closed: Inconclusive | The activity’s root cause has not been identified and there is no further activity detected. The investigation is completed. |
| Closed: Informational | Analysis conducted of the activity did not lead to any notable findings. The investigation is completed. |
To close an investigation:
- Open the investigation details page.
- On the Summary tab, choose the appropriate close code from the Status drop-down list.
- A pop-up modal confirms the reason the investigation is being closed.
- Select Close Investigation to confirm.
When an investigation is closed, its related alerts and genesis alerts will be labeled automatically according to the close code. The close codes and corresponding alert labels are as follows:
| Investigation Close Code | Corresponding Alert Label |
|---|---|
| Confirmed Security Incident | True Positive: Malicious |
| Authorized Activity | True Positive: Benign |
| Threat Mitigated | True Positive: Benign |
| Not Vulnerable | True Positive: Benign |
| False Positive Alert | False Positive |
| Inconclusive | Not Actionable |
| Informational | Not Actionable |
Note
Alert labels are one way the system can learn what activity is valuable to your organization based on data contained within the alerts; therefore, it is important to choose the most relevant label based on the outcome of the investigation.
Closing an Investigation and Labeling Alerts