We have a discover scan running that looks for PCI data, once it finds this data it quarantines the file and leaves a marker in place of the file. The problem we are having is identifying the Incident so we can investigate and potentially recover the file for the employee. The variable $Incident_ID$ does not populate at the discover server and only gets populated when it reaches the Enforce server. How have people been able to better identify these discover events? Thank you in advance.