> For the complete documentation index, see [llms.txt](https://docs.vectra.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.vectra.ai/operations/analyst-guidance/new-close-workflow.md). # New close workflow ## Introduction This article describes the New Close Workflow functionality. This capability is designed to streamline operations, ensure clarity in resolution of actions, and ultimately capture the outcomes which enables reporting on these outcomes. The existing Operational Metrics report is disabled when the New Close Workflow is enabled. Vectra's [Operational Overview report](/operations/dashboards-and-reports/operational-overview-report-guidance.md) shows detail on New Close Workflow outcomes. Some tracking of outcomes is also available in the [Executive Overview report](/operations/dashboards-and-reports/executive-overview-report-guidance.md). When the New Close Workflow is enabled, new **Close As** options are available for detections and entities. These new options replace the former **Filter just this detection** and **Mark as Fixed** options. Entity assignments are **NOT** closed when using **Close As** at the entity level and assignments must be changed or deleted manually. The [Triage Best Practices](/configuration/tuning/triage-best-practices.md) article provides detailed guidance for triage actions and terminology. The New Close Workflow described in this article also determines how some aspects of triage function, because when enabled, there will no longer be an option to **Mark as Fixed** or **Filter just this detection** and detections will need to be closed as **Benign**, **Remediated**, or a **Create Filter Rule** action can be created to triage the detection, future detections, and other active detections that have not aged out in the system. The [Assignment Workflow FAQ](/operations/analyst-guidance/assignnment-workflow-faq-prior-to-new-close-workflow.md) provides guidance for using assignment at an entity level. ## Enablement All deployments now default to having the New Close Workflow enabled unless a customer has specifically disabled it. To check the status in your UI, simply navigate to *Configuration → SETUP → General Settings → New Close Workflow*: ![](/files/7IiaQCwtIpg61uOq3YIN) It is still possible to disable the New Close Workflow, but Vectra plans to fully remove the legacy workflow in a future update. Please contact Vectra to discuss if this will be problematic for your deployment. ## How the New Close Workflow Functions? ### Entity Assignment and Closure/Resolution When working with entities (hosts and accounts) in Vectra AI products, you can assign the entity to an analyst. What happens inside the system is that all the active detections for that entity are assigned to the chosen analyst. Detections can then be closed or filtered/resolved at a detection level or at an entity level. When closing at the entity level, all assigned detections are also closed but the assignment, if present, remains until changed or deleted manually. ### Filtering or Closing Individual Detections Individual detections can be filtered or closed so that the detection will no longer impact the score for an entity. This can be done by individual detection or in bulk. Options again vary based on where you are in your Vectra UI and which close workflow you are using. #### **Via Individual Detection Pages:** | | | | -------------------------------- | -------------------------------- | | **New Close Workflow** | **Legacy Workflow** | | ![](/files/lNj07bQXQURy0k8p7r2W) | ![](/files/CWBqgUdXQMdPtkYDruKM) | #### **Via Bulk Actions From the Detections Page in Your UI:** | | | | -------------------------------- | -------------------------------- | | **New Close Workflow** | **Legacy Workflow** | | ![](/files/VJLwCFHDr5w1EDGzxBnc) | ![](/files/K1Df9mo2tfAsplaXCpYB) | ### Closing or Resolving All Active Detections on an Entity When using the New Close Workflow or when working with entity assignment and resolution in the legacy workflow, all active detections can be triaged easily at once at an entity level. * When using **Close As** at an entity level, all active detections attributed to the entity will be closed (triaged) as either **Benign** or **Remediated**. * If the entity was assigned to an analyst, this does not close the assignment. If you wish for future detections to not be assigned to the same analyst, change or delete the assignment. * When resolving an entity assignment using the legacy workflow, choosing any outcome will close the assignment, triage the individual detections, and close the assignment. | | | | -------------------------------- | -------------------------------- | | **New Close Workflow** | **Legacy Workflow** | | ![](/files/zjsfQgn897UvCvZlqBSX) | ![](/files/qyeY1fsunZVR8E6KCa2n) | ## Why Should Entity Assignments / Detections Be Closed? The [Executive Overview report](/operations/dashboards-and-reports/executive-overview-report-guidance.md) provides some tracking of assignment and detection outcomes. The [Operational Overview report](/operations/dashboards-and-reports/operational-overview-report-guidance.md) tracks things like: * MTTA - Mean Time To Assignment * MTTI - Mean Time To Investigate * MTTR - Mean Time To Resolve Using entity assignments and closing the detections assigned to an entity will drive the numbers used on the reports and help measure SOC team effectiveness in dealing with prioritized alerts from the system. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.vectra.ai/operations/analyst-guidance/new-close-workflow.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.