Working with a customer who is using FireEYE and now SourceFIRE to complement that solution. When looking at Intrusion events there is an option to "review" them. What i need to know is once i "review" an intrusion event how do i know when I actually did it. Can i run a report that shows me when i reviewed intrusion events? the only columns i see available are "reviewed by". I see in the audit log you can see that an intrusion event was reviewed but it does not give specific detail on which event was reviewed. there is a small disconnect there.
FireEYE's intrusion event summary page shows the event, and when the events were acknowledged. The customer is looking for something similar.
any help is appreciated.
