Steps to reproduce:
Create a simple rule (PCI, no word boundaries) with Endpoint channels.
Set the action plan to "Confirm" on all endpoint channels.
When a violation occurs on the endpoint, do nothing and the "confirmation" box will disappear after few seconds with no action from the user.
the Incident is registered as "Blocked (confirmed)"
Even though there was no confirmation.
Actual result:
the Incident is registered as "Blocked (confirmed)"
Even though there was no confirmation.
Expected result:
Incident should report "Blocked (Un-confirmed)"
All the customer needs is to have a way to distinguish in incident reports, what was actively confirmed by the customer and what wasent confirmed within the 10 second time frame.