Close incident

Relative path: /v2/incidents/{incidentUuid}:close

Close an incident.

Request body

Display Schema instead of an Example or vice-versa

Type	Required	Example	Schema
application/json	No	{ "closureReason": "INCIDENT_RESOLVE_REASON_UNSPECIFIED", "finalComment": { "authorUuid": "string", "createTime": "string", "incidentUuid": "string", "isFinalComment": true, "text": "string", "updateTime": "string", "uuid": "string" } }	{ "$ref": "IncidentsCloseIncidentBody", "closureReason": { "$ref": "v2IncidentResolveReason", "type": "string", "description": "Possible reasons for resolved incident. INCIDENT_RESOLVE_REASON_UNSPECIFIED: fallback INCIDENT_RESOLVE_REASON_TRUE_POSITIVE: The incident was a true positive, indicating a genuine security threat. INCIDENT_RESOLVE_REASON_FALSE_POSITIVE: The incident was initially thought to be a security threat but later determined to be a false alarm. INCIDENT_RESOLVE_REASON_SUSPICIOUS: The incident is not a confirmed threat (true positive), but investigating it can provide valuable insights into user behavior patterns and help mitigate potential attacks.", "default": "INCIDENT_RESOLVE_REASON_UNSPECIFIED", "enum": [ "INCIDENT_RESOLVE_REASON_UNSPECIFIED", "INCIDENT_RESOLVE_REASON_TRUE_POSITIVE", "INCIDENT_RESOLVE_REASON_FALSE_POSITIVE", "INCIDENT_RESOLVE_REASON_SUSPICIOUS" ] }, "finalComment": { "$ref": "v2IncidentComment", "description": "Incident comment is every comment connected to incident. These comments are created during the life cycle of the incident and better describe what happened to the incident during each step of its life cycle(Preparation, Detection, Analysis, Containment, Eradication, Recovery, Post-incident activity).", "authorUuid": { "type": "string", "description": "Principal responsible for the first revision of the comment. It might be identification of user. In some cases it can be a service represented by service account. type: user_management.v1.User", "readOnly": true }, "createTime": { "type": "string", "description": "Timestamp for when the comment was created.", "format": "date-time", "readOnly": true }, "incidentUuid": { "type": "string", "description": "Reference to the root - [Incident]. type: v2.Incident" }, "isFinalComment": { "type": "boolean", "description": "Define, whether comment is added during closing of incident and should describe why and how was incident resolved and closed. False means standard comment." }, "text": { "type": "string", "description": "Text content of the comment." }, "updateTime": { "type": "string", "description": "Represents the timestamp when the comment was most recently updated. Any change to the comment made by users (create/update/delete) must update this value; changes to a comment made internally by the service should refresh this value unless specified otherwise on entity level. Info: Modeled after: https://google.aip.dev/148#timestamps", "format": "date-time", "readOnly": true }, "uuid": { "type": "string", "description": "Unique identifier of the entity. Must be collision free - two identifiers created anywhere in the world must not collide within entity parent scope. Unless a member of aggregate, the entity scope is always global. Although most of the times compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace, do not rely on it being a RFC UUID. Treat it as an opaque identifier. RFC UUID can be recognized by being formatted according to template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on wikipedia. UUID is used for referencing an entity, even across domains. Example: '123e4567-e89b-12d3-a456-426614174000'" } } }

Type

Required

Example

Schema

application/json

{
  "closureReason": "INCIDENT_RESOLVE_REASON_UNSPECIFIED",
  "finalComment": {
    "authorUuid": "string",
    "createTime": "string",
    "incidentUuid": "string",
    "isFinalComment": true,
    "text": "string",
    "updateTime": "string",
    "uuid": "string"
  }
}

{
"$ref": "IncidentsCloseIncidentBody",
"closureReason": {
"$ref": "v2IncidentResolveReason",
"type": "string",
"description": "Possible reasons for resolved incident. INCIDENT_RESOLVE_REASON_UNSPECIFIED: fallback INCIDENT_RESOLVE_REASON_TRUE_POSITIVE: The incident was a true positive, indicating a genuine security threat. INCIDENT_RESOLVE_REASON_FALSE_POSITIVE: The incident was initially thought to be a security threat but later determined to be a false alarm. INCIDENT_RESOLVE_REASON_SUSPICIOUS: The incident is not a confirmed threat (true positive), but investigating it can provide valuable insights into user behavior patterns and help mitigate potential attacks.",
"default": "INCIDENT_RESOLVE_REASON_UNSPECIFIED",
"enum": [
"INCIDENT_RESOLVE_REASON_UNSPECIFIED",
"INCIDENT_RESOLVE_REASON_TRUE_POSITIVE",
"INCIDENT_RESOLVE_REASON_FALSE_POSITIVE",
"INCIDENT_RESOLVE_REASON_SUSPICIOUS"
]
},
"finalComment": {
"$ref": "v2IncidentComment",
"description": "Incident comment is every comment connected to incident. These comments are created during the life cycle of the incident and better describe what happened to the incident during each step of its life cycle(Preparation, Detection, Analysis, Containment, Eradication, Recovery, Post-incident activity).",
"authorUuid": {
"type": "string",
"description": "Principal responsible for the first revision of the comment. It might be identification of user. In some cases it can be a service represented by service account. type: user_management.v1.User",
"readOnly": true
},
"createTime": {
"type": "string",
"description": "Timestamp for when the comment was created.",
"format": "date-time",
"readOnly": true
},
"incidentUuid": {
"type": "string",
"description": "Reference to the root - [Incident]. type: v2.Incident"
},
"isFinalComment": {
"type": "boolean",
"description": "Define, whether comment is added during closing of incident and should describe why and how was incident resolved and closed. False means standard comment."
},
"text": {
"type": "string",
"description": "Text content of the comment."
},
"updateTime": {
"type": "string",
"description": "Represents the timestamp when the comment was most recently updated. Any change to the comment made by users (create/update/delete) must update this value; changes to a comment made internally by the service should refresh this value unless specified otherwise on entity level. Info: Modeled after: https://google.aip.dev/148#timestamps",
"format": "date-time",
"readOnly": true
},
"uuid": {
"type": "string",
"description": "Unique identifier of the entity. Must be collision free - two identifiers created anywhere in the world must not collide within entity parent scope. Unless a member of aggregate, the entity scope is always global. Although most of the times compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace, do not rely on it being a RFC UUID. Treat it as an opaque identifier. RFC UUID can be recognized by being formatted according to template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on wikipedia. UUID is used for referencing an entity, even across domains. Example: '123e4567-e89b-12d3-a456-426614174000'"
}
}
}

Parameters in path

Name	Type	Required	Description
incidentUuid	string	Yes	Reference to [Incident]. type: Incident

Responses

Display Schema instead of an Example or vice-versa

Code	Description	Example	Schema
200	Successful response.	{}	{ "$ref": "v2CloseIncidentResponse", "title": "empty", "type": "object" }
202	Response took too long; request cached. Response can be retrieved later using the response-id header.	null	[]
400	One of the errors: 1. Bad or missing authorization. 2. Validation error. Invalid argument provided.	null	[]
401	Token has expired or is invalid.	null	[]
403	Access denied. Check permissions.	null	[]
404	Requested resource not found.	null	[]
429	Rate limit reached. Try again later.	null	[]
500	Internal server failure. Try again later.	null	[]
502	Internal server failure. Try again later.	null	[]
503	Environment under maintenance. Try again later.	null	[]
504	Action took too long; timeout reached	null	[]

˄˅