I created a test detection rule (keyword-based) with “Item Modified” and “Item No Longer Exists” turned on, then scanned a Discover Target looking at a particular folder in which I had created a text file with the particular keyword. The scan found the file, but subsquent scans did nothing to the previous Incident after I had modified and deleted the file. Am I missing something here? The help files include the following description:
About automatically tracking incident remediation status
You can configure Network Discover to automatically track the remediation status of file system target incidents.
During the first Network Discover scan for a given file system target, incident metadata (resource name, policies violated, and so on) is added to the Discover incident remediation tracking catalog. If during a subsequent scan an incident stored in the catalog does not appear in the scan results, Network Discover marks the incident as remediated with one of the following status indicators:
Item modified. The item has been modified and no longer violates a policy. In the case where both the item and policy have changed, the incident will be remediated as Item modified. This option is off by default.
Policy modified. The policy that the incident violated has changed. In the case where both the item and policy have changed, the incident will be remediated as Item modified. This option is off by default.
Item no longer exists. The item has been moved, deleted, or renamed. This option is on by default.
I can find nothing on the discovered incidents to indiocate that these options have done anything. Are there additional steps that need to be taken? Am I misunderstanding the purpose? Any information here would be appreciated. Thanks!