SIEM solutions detect real attacks from the thousands of events that are happening in the network. When an unexpected and potentially dangerous event is recognized, engineers take a quick (temporary) action to block the security leak, diagnose what really went wrong, determine what else is at risk, and decide on a fix. At the same time, the engineer might have to figure out what changed in the network configurations to cause the incident. Depending on the complexity and number of devices required to be investigated, executing a timely response can be unrealistic. This paper discusses how Athena's firewall analytics solution can be used to find the rule changes related to the incident and to verify if the remedy implemented actually works without creating unintended side effects to the network.