When you create an incident or it is created automatically, the incident has the New status. You can change the status to In progress or Closed. When you change the New status to Closed and the incident has no assignee, the incident is automatically assigned to you.
This status means that an analyst started working on the incident or resumed the work by changing the On hold status. You can change the In progress status to any other status.
This status means that an analyst suspended work on the incident. Normally, you change the On hold status to In progress when the work is resumed, but you can change the On hold status to other statuses as well.
You close incidents when no additional work on the incident is expected. You can close an incident with one of the following resolutions:
True positive
False positive
Low priority
When you close an incident, the linked alerts also gain the Closed status and inherit the resolution from the incident. If the incident has no assignee, the closed incident is automatically assigned to you. If the closed incident has unassigned linked alerts, those alerts are automatically assigned to you.
The Closed status can only be changed to status New. If you want to return a closed incident back to work, change its status as follows: Closed→New→In progress.
To change status of one or several incidents:
In the main menu, go to MONITORING & REPORTING→Incidents.
Select the check boxes next to the incidents whose status you want to change.
Click the Change status button.
In the Change status window, select the status to set.
If you set the Closed status, you must select a resolution and provide a short comment.