Closing an Incident

Close the incident to make it easier for other Incident Responders to see that the incident no longer requires attention. Closing the incident also makes it easier for you to filter out the incidents that are no longer a risk.
If this incident is an Advanced Attack Technique (AAT) and a false positive, add the event signature to the Allow List policy before you close the incident. That way, Symantec EDR won't create future incidents for the activity that is normal for your environment.
The following procedure lists the steps to close an incident:
  1. Log on to the Symantec Endpoint Security console and navigate to
    Incidents and Alerts
  2. Select one or multiple incidents that you want to close.
  3. Click
  4. On the
    Close Incident
    page, select the appropriate Resolution from the list and enter a comment.
    Once you close an incident, it cannot be reopened. However, you can view it in read-only mode.
  5. lick