2 Replies Latest reply on Dec 2, 2010 9:09 AM by SCtbe

    How do you "mark" critical events as having been remediated or dealt with?

      We have recently come under the auspices of PCI.  As such, log files & reporting have suddenly become an issue.  I have a dashboard that uses the default query "Threat Severity" display.  This display keeps a constant running total of several classifications of threats (Informational, warning, critical etc.).  When you click any given category and drill down, you get a tabular listing with a column of checkmark boxes on the left.

       

      Here's my question:  When I select any of these entries and mark them as "read" the display refreshes and there is no visible indication that anything has changed.  The total count for that category remains as it was back on the summary screen.  If I delete an entry...then it does appear to delete and the count changes.  However, this seems that you are deleting entries from a log file...definitely not allowed from a PCI viewpoint.

       

      I may very well be using this particular dashboard in a manner in which it was not intended...but I need to find an alternative.  How can I be alerted via a dashboard item that various critical events have taken place but allow me to delete the alert from the dashboard without deleting an actual log entry?  In other words, I want the dashboard to reflect action items that need to be addressed and/or remediated but still be able to show an auditor (via a report) that the event took place and that it *was* handled.