Closing incidents in MDR Web Console
February 12, 2024
You can close an incident if you know that it is a duplicate or you are not going to solve it. In other cases, you must not close incidents, as they need to be solved by MDR SOC analysts. MDR SOC analysts resolve an incident if the measures that they recommended within this incident are applied. A resolved incident automatically closes after 72 hours.
To close an incident:
- In MDR Web Console, navigate to the Incidents menu item.
The incident list opens.
- Click the string with the incident whose details you want to view.
The incident page opens.
- On the Summary tab of the page, click the Close incident button in the lower part of the window.
There is no Close incident button for incidents with the Closed status.
The Close incident block appears.
- In the Reason why you are closing this incident field, specify any additional information that you want to communicate to Kaspersky Managed Detection and Response SOC analysts. For example, you can give details why you consider this incident to be a standard, non-threatening situation for your infrastructure. You can leave this field empty.
- Below the comment field, select the True positive or False positive option, depending on the closure reason.
Select the True positive option if Kaspersky Managed Detection and Response detected a threat, but you do not want MDR SOC analysts to investigate and solve the incident.
Select the False positive option if Kaspersky Managed Detection and Response detected a non-threatening activity as a threat. Kaspersky Managed Detection and Response uses this information for improving the automated detection algorithms.
- In the lower part of the block, click the Close button.
The Close incident block disappears.
The incident is closed. From now on, Kaspersky Managed Detection and Response will perform no actions in relation to this incident.