There are 2 potential reasons for this kind of behaviour where Alerts are not closed when the related Incident state is Resolved/Closed
- The schedule job: Event Management - create/resolved incidents by alerts calls the script include: EvtMgmtAlertManagementJob which in turn calls other script include: EvtMgmtAlertActions, which looks for the alert severity and if the severity is "Info" then we ignore these alerts. This is an OOB behaviour.
- OOB scheduled job "Event Management - create/resolved incidents by alerts" set to false by default from London. Please refer to the KB: KB0723087 which has more details about this functionality.