We've recently implemented a MARS system and I posted this question to one of the guys that helped us implement it. He said Cisco said the following:
There is no way to delete incidents from MARS. If you want to wipe the box clean; i.e. re-import devices, license keys, etc. you can run the "pnreset" command from the CLI. This will wipe the box clean.
I belived this option is not available yet in CS-MARS v4.1.x.
The new version 4.2.x will be out soon (major upgrade), which includes option to delete various things like user-define rules. It probably include option to clear/delete incidents.
Is there an ETA on the new version? I'm not looking for a hard and fast date, just a general idea of when it may arrive.
Also, will the new version have better troubleshooting capabilities built in for the MARS device itself? Currently, trying to troubleshoot issues with the device is an absymal process.
I have a CS-MARS demo unit runnig version 4.2 and I don't see any way to remove an incident from the view while maintaining it in the DB.
This is one feature that I really like about security monitor's event viewer. It really cuts down on the clutter.
I will ask the question as well. Will there be a way to acknowledge an incident and remove it from the viewer in any future releases? If it does exsist in version 4.2, does anyone know how to use it?