After taking measures to clean up the traces of the attacker's presence from the organization's IT infrastructure, you can close the incident.