Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Close an Investigation

investigations close codes

Upon completing an investigation, you should close it using one of the available closed statuses.


If you are a ManagedXDR subscriber, the ManagedXDR Dashboard relies on investigations being closed for proper statistic calculation.

Status Description
Closed: Confirmed Security Incident Your organization’s systems or data have been compromised or measures put in place to protect them have failed. The investigation is completed.
Closed: Authorized Activity The activity is authorized or expected. The investigation is completed.
Closed: Threat Mitigated The threat associated with the security incident has already been mitigated by a security control. The investigation is completed.
Closed: Not Vulnerable The targeted system is not vulnerable to the exploit in question and therefore the investigation does not constitute a security incident. The investigation is completed.
Closed: False Positive Alert The activity the alert indicated did not occur. This is not a security incident, so the investigation is closed as a false positive.
Closed: Inconclusive The activity’s root cause has not been identified and there is no further activity detected. The investigation is completed.
Closed: Informational Analysis conducted of the activity did not lead to any notable findings. The investigation is completed.

To close an investigation:

  1. Open the investigation details page.
  2. On the Summary tab, choose the appropriate close code from the Status drop-down list.
  3. A pop-up modal confirms the reason the investigation is being closed.
  4. Select Close Investigation to confirm.

When an investigation is closed, its related alerts and genesis alerts will be labeled automatically according to the close code. The close codes and corresponding alert labels are as follows:

Investigation Close Code Corresponding Alert Label
Confirmed Security Incident True Positive: Malicious
Authorized Activity True Positive: Benign
Threat Mitigated True Positive: Benign
Not Vulnerable True Positive: Benign
False Positive Alert False Positive
Inconclusive Not Actionable
Informational Not Actionable


Alert labels are one way the system can learn what activity is valuable to your organization based on data contained within the alerts; therefore, it is important to choose the most relevant label based on the outcome of the investigation.

Closing an Investigation and Labeling Alerts

Closing an Investigation and Labeling Alerts