Close a Case🔗
Note
The terms Alerts and Investigations have recently been changed to Detections and Cases in Taegis XDR. You may still see references to the old terms while we continue to work towards platform convergence of Sophos and Taegis technologies. For more information, see Taegis Terminology Updates.
Upon completing review of a case, you should close it using one of the available closed statuses.
Important
If you are a Secureworks® Taegis™ MDR subscriber, the Taegis MDR Dashboard relies on cases being closed for proper statistic calculation.
| Status | Description |
|---|---|
| Closed: Confirmed Security Incident | Your organization’s systems or data have been compromised or measures put in place to protect them have failed. The case is completed. |
| Closed: Authorized Activity | The activity is authorized or expected. The case is completed. |
| Closed: Threat Mitigated | The threat associated with the security incident has already been mitigated by a security control. The case is completed. |
| Closed: Not Vulnerable | The targeted system is not vulnerable to the exploit in question and therefore the case does not constitute a security incident. The case is completed. |
| Closed: False Positive Alert | The activity the detection indicated did not occur. This is not a security incident, so the case is closed as a false positive. |
| Closed: Inconclusive | The activity’s root cause has not been identified and there is no further activity detected. The case is completed. |
| Closed: Informational | Analysis conducted of the activity did not lead to any notable findings. The case is completed. |
To close a case:
- Open the case details page.
- On the Summary tab, choose the appropriate close code from the Status drop-down list.
- A pop-up modal confirms the reason the case is being closed.
- Select Close Case to confirm.
When a case is closed, its related detections and genesis detections will be labeled automatically according to the close code. The close codes and corresponding detection labels are as follows:
| Case Close Code | Corresponding Detection Label |
|---|---|
| Confirmed Security Incident | True Positive: Malicious |
| Authorized Activity | True Positive: Benign |
| Threat Mitigated | True Positive: Benign |
| Not Vulnerable | True Positive: Benign |
| False Positive Alert | False Positive |
| Inconclusive | Not Actionable |
| Informational | Not Actionable |
Tip
The default detection close code behavior is to copy the case close reason as indicated in the mapping table. However, you can override this default behavior and change the detection close code(s) based on the specific needs at the time the case is closed.
Note
Detection labels are one way the system can learn what activity is valuable to your organization based on data contained within the detections; therefore, it is important to choose the most relevant label based on the outcome of the case.
