How to Resolve a Threat (Closing & Re-Opening)

Resolving a threat in Selki is a key part of the identity exposure workflow.

Closing or re-opening a threat helps your security team manage remediation progress, maintain visibility, and document actions taken on compromised accounts.

Selki provides simple, structured controls for:

• closing a threat once remediation has been completed
• re-opening a threat when new information appears or additional work is required

This article explains how each action works and when to use it.

1. Closing a Threat

A threat should be closed when your team has reviewed and fully remediated the exposure.

Typical actions before closing a threat:

• Password has been reset
• MFA has been enforced or validated
• User has been notified
• Access logs show no further misuse
• Device infection has been cleaned (if infostealer-related)
• Account has been secured or monitored as necessary

Closing a threat indicates that it no longer represents an immediate operational risk.

2. How to Close a Threat

You can close a threat from two locations:

A) From the Threats List

1. Click the Status dropdown on the desired threat.
2. Select Close.
3. The threat will immediately change to closed state.

B) From the Threat Details Panel

1. Click a threat to open its detailed view.
2. Locate the Status dropdown at the top of the panel.
3. Select Close.
4. The threat is now marked as resolved.

No confirmation modal is required — the process is immediate to support fast workflows.

3. What Happens After Closing

When a threat is closed:

• It is moved out of Active Threats
• It appears under Closed Threats
• The Dashboard updates its totals (Active / Closed)
• Trend charts reflect the closure
• Exports include the updated status
• Filters can isolate or hide closed threats

Closing a threat does not delete the exposure or remove historical evidence — it simply marks remediation as completed.

4. Re-Opening a Threat

A threat should be re-opened when:

• the same user is exposed again
• new findings appear (new hostname, new password, new source)
• evidence shows remediation was incomplete
• a re-investigation is needed
• a user resets a password back to a compromised one
• the identity appears again in new datasets

Re-opening ensures recurring risks are not ignored.

5. How to Re-Open a Threat

You can re-open a threat from:

A) The Threats List

1. Click the Status dropdown of a closed threat.
2. Select Re-Open.
3. The threat will return to Active state.

B) The Threat Details Panel

1. Open the closed threat.
2. Select Re-Open from the status dropdown.
3. The threat is immediately activated again.

6. Workflow Best Practices

To maintain a clean and effective remediation pipeline:

Do

• Close threats only after full remediation
• Re-open immediately when new exposures appear
• Review high and critical threats daily
• Use Watcher filters to check domain-level hotspots
• Audit closed threats periodically
• Document internal response steps alongside status changes

Don’t

• Close threats without confirming user action
• Leave high-risk threats open for long periods
• Treat employee and customer threats the same — risk levels differ
• Ignore repeated exposures

7. Lifecycle Example

Here’s a real-world scenario:

1. Threat detected — infostealer leak with password
2. Status: Open
3. Security team resets password and enforces MFA
4. Threat closed
5. Two weeks later, identity appears again in a new malware log
6. Threat re-opened automatically or manually
7. New remediation steps begin

This full lifecycle is tracked through the threat statuses.

Summary

Selki’s threat resolution workflow provides a simple but powerful way to track exposure remediation.

Closing indicates remediation is complete, while re-opening ensures new or recurring risks are promptly addressed.

Managing statuses correctly keeps dashboards accurate, prevents oversight, and supports strong identity security practices.

Next Article

➡ Article 10 – Exporting Threats (PDF, CSV, XLSX)

Updated on: 01/12/2025