Close Incidents

Close one incident at a time or use Bulk Incident to close multiple incidents at once on Prisma SaaS.
With automatic remediation, Prisma SaaS performs appropriate actions and updates the category and status for incidents matching a data pattern. For other open incidents, Prisma SaaS identifies these open incidents as
When you assess new incidents, you might sometimes find the content of an asset or how the asset is shared does not pose a threat to your organization. In these cases, you can close the incident individually or close a group of incidents. You can select a default close (denoted by a red icon)
  • No Reason
    found for the incident.
  • Business Justified
    because an asset owner’s job responsibilities necessitate the specific user behaviors identified in the policy or because the incident was triggered as part of testing you performed in the process of fine-tuning your policies.
  • Misidentified
    as a data pattern match or policy violation.
Additionally, you can customize the incident categories to create close incident categories to suit your organization’s needs.
Prisma SaaS identified the asset as an incident because it matched one or more policy rules. Unless you change a setting (for example, changing a collaborator or domain from Untrusted or Trusted), Prisma SaaS identifies the asset as an incident again the next time it scans that asset. You should fine-tune the policy rules to ensure assets that are real threats are the only assets identified as incidents.
If you want to review the events recorded when the status of an incident closes, review these changes in the remediation activity logs.
  • Close a group of incidents.
    1. Click
    2. Select up to 1000 incidents.
    3. Click
      Change Status
    4. Select a close
      , denoted by a red icon.
  • Close a single incident.
    1. Click the asset name to view the Asset Details or Security Controls Incident Details.
    2. Select a close
      , denoted by a red icon.

Recommended For You