[Security] [Serverless: Sep 30] Alert closing reason (#3207)

Resolves #2810 by
documenting the ability to specify a reason when closing a detection
alert.

Preview: [Manage detection alerts > Set an alert's closing
reason](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3207/solutions/security/detect-and-alert/manage-detection-alerts#set-an-alerts-closing-reason)

Author: natasha-moore-elastic

solutions/images/security-alert-change-status.png

@@ -191,6 +191,22 @@ To change an alert’s status, do one of the following:
     ::::
 * In an alert’s details flyout, click **Take action** and select a status.
 
+#### Set an alert's closing reason
+```yaml {applies_to}
+stack: ga 9.2
+serverless: ga
+```
+
+You can specify a reason for closing an alert by selecting one of the following options:
+
+* **Close without reason**: Close the alert without specifying a reason.
+* **Duplicate**: The alert is a duplicate of another alert.
+* **False positive**: The alert was triggered by normal activity and doesn't indicate a security issue.
+* **True positive**: The alert represents a real security incident that has been resolved.
+* **Benign positive**: The alert correctly identified the activity, but the activity is acceptable or not actionable.
+* **Other**: Any other reason not covered by the predefined categories.
+
+When you select a closing reason, the alert document is populated with a new field called `kibana.alert.workflow_reason`. You can use this field to filter and sort alerts on the **Alerts** page. If you later reopen the alert, the field is removed from the document.
 
 ### Apply and filter alert tags [apply-alert-tags]