Resolve and close cases

Supported in:

This document describes how to close cases in Google Security Operations using various interface options, including the case details page, the case queue (side-by-side and list views), and the Search page. It also explains how to view the contents of closed cases. You can close a case once it's resolved.

Ways to close a case

You can close a case once it's resolved. You can do this from the following locations:

Close a single case from the case details page

  1. Open the case you want to close, then click closecaseicon Close Case.
    2. closecases1
  2. In the Close Case dialog, select a valid reason and a root cause for closing the case, and enter any additional comments. These comments will be posted on the Case Wall.
    3. closecases2
  3. Click Close.

Close multiple cases at once

When you manage a high volume of cases, choose a method that matches your workflow and the number of cases you want to close.

The following guidelines are based on the approximate number of open cases in your case queue.

For a small number of cases (2-250 cases)

If you have a manageable number of cases to close (typically 2-250 cases, with the platform allowing you to close up to 50 at once from the Cases page views or the Search page), you can use these methods directly within the platform.

From the cases queue (side-by-side view)

  1. In the cases queue, click multipleselecticon Select multiple cases.
    2. closecases3
  2. Select the relevant cases you want to close in the cases queue.
  3. Click format_list_bulleted Close Cases/Merge Cases and select Close Cases.
    4. closecases3
  4. In the Close Case dialog, select a valid reason and a root cause. Optionally, enter comments to post on the Case Wall.
  5. Click Close.

From the cases queue (list view)

  1. Select the relevant cases you want to close in the cases queue.
  2. Click closecaseicon Close cases.
    3. closecases6
  3. In the Close Case dialog, select a valid reason and a root cause for closing the case and enter any additional comments. These comments will be posted on the Case Wall.
  4. Click Close.

From the Search page

  1. Go to the Search page.
  2. Apply filters to find the relevant cases you want to close.
  3. From the search results, select the cases you want to close.
  4. Click Menu and select Close case.
  5. In the Close Case dialog, choose a valid reason and root cause. Optionally, enter comments to post on the Case Wall. Click Close when finished.

For a medium number of cases (250-2000 cases)

For a larger, but still manageable number of cases (typically 250-2000 cases, with the API allowing deletion in blocks of 50 per request), use the following API endpoint to bulk close cases:

/api/external/v1/cases-queue/bulk-operations/ExecuteBulkCloseCase

For a large number of cases (2000+ cases)

If you need to close a large volume of cases (2000+ cases), contact Google Support.

View the contents of a closed case

To view the contents of closed cases, follow these steps:

  1. Go to the SOAR Search page.
  2. In the Filter section, select Status > Closed.
  3. Click Apply.
  4. In the list of closed cases, click the ID number of the selected case; you're redirected to the original case contents.

Need more help? Get answers from Community members and Google SecOps professionals.