Close one incident at a time or use Bulk Incident to
close multiple incidents at once on Prisma SaaS.
With automatic remediation,
Prisma SaaS performs appropriate actions and updates the category
and status for incidents matching a data pattern. For other open
incidents, Prisma SaaS identifies these open incidents as
you assess new incidents,
you might sometimes find the content of an asset or how the asset
is shared does not pose a threat to your organization. In these
cases, you can close the incident individually or close a group
of incidents. You can select a default close (denoted by a red icon)
for the incident.
because an asset owner’s
job responsibilities necessitate the specific user behaviors identified
in the policy or because the incident was triggered as part of testing
you performed in the process of fine-tuning your policies.
Prisma SaaS identified the asset as
an incident because it matched one or more policy rules. Unless
you change a setting (for example, changing a collaborator or
domain from Untrusted or Trusted), Prisma SaaS identifies the asset as
an incident again the next time it scans that asset. You should fine-tune the policy rules
to ensure assets that are real threats are the only assets identified
If you want to review the events recorded when
the status of an incident closes, review these changes in the remediation activity