I have noticed that if a remediation rejection is made that there is not a way to know what is not being alerted on or a way to audit those changes. Unfortunately, we had an engineer reject VPN activity from a threat actor. As a result, that VPN service was no longer alerted on and effectively allowed persistence for more than a month. Can a step be added to the rejection process where admin approval is required? Maybe this can be an optional setting as it may not be desired by all MSPs. If not having rejections as an option for less permissive roles is possible, that might be a good solution as well.