Avoiding False Positive Incidents (Tag Whitelist)

Welcome Forums Investigate Workflows Avoiding False Positive Incidents (Tag Whitelist)

  • This topic is empty.
Viewing 1 post (of 1 total)
  • Author
  • #3282
    Mike RiforgiateMike Riforgiate

    There may be some tools at may inaccurately identify certain conditions or events as an ALERT or an ALARM, when it should probably only be INFO.

    If you find this to be the case, you can execute the following to help Precinct identify those false positives properly.

    • Look at the artifact for the event and expand and identify the tags associated to it.
    • Choose which tag(s) can be used to identify a benign event and copy the text.

    • Paste the tag text into the Tag Whitelist section found in Admin > Settings > Artifact Tag Whitelist

    • Submit the settings change at the bottom of the screen


    NOTE: Since this action has the potential to ignore activities that may be actual threats, please ensure the events you intend to tag whitelist are, in fact, benign events.

    Video walk-through for Tag Whitelisting

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.