By default, the anomaly status is active and it indicates that the incident still requires some examination or is kept for further investigation. As you inspect anomalies and respond to threats, update statuses and add comments.
To change an anomaly status
- Specify an anomaly from the list and click the Active link in the Status column.
In the Change Status dialog, set the status to "reviewed" and provide a justification.
NOTE: You can add comments without changing a status. This might be helpful if the anomaly remains active for a long period of time and you need even more time to examine it closely.
Once the anomaly is reviewed, it disappears from the timeline and chart, and its associated risk score is taken from user's total score. The reviewed anomalies supplement the status with the reviewer name and date (e.g., Reviewed by CORP\Administrator (10/02/2017 10:12:03 AM)).
You can always revert changes and assign the Active status back.
To process all anomalies
- In the Actions section, select Mark all as reviewed.
In this case, all anomalies that are currently in view will be set to "reviewed". Perform this operation only with a proper justification. Since Netwrix Auditor shows only the top 2,000 anomalies, make sure to click Refresh to check if there are more anomalies to be reviewed.
NOTE: The anomalies that are excluded from view by filters are not affected by the Mark all as reviewed action. For more information about filters, see Customize Anomalies List.