How To Manage False Positives and Optimizing the System
The portal can detect false positives, at that moment users should exclude those entries. In every table users can set entries as trusted, can add values to the white or black lists and also can append values to the classification rules. With that records are evaluated correctly and the portal provides better visibility. Every table has a bulk operation option in the "..." section.
For Autoruns, Processes, and Inventory Assets:
Setting as Trusted (optional): Right-click on the entry -> Actions -> Set as trusted. This option sets the entry risk score to 0 and shows it as trusted. This option is recommended for single or unique entries.
Adding to a Classification Rule (recommended): Right-click on the entry -> Rule Management -> Add Value as a Classification Rule -> Set the priority of the classification rule -> Scroll down and click on the "Save & Force Run This Rule" button. This option is recommended for the classification of the captured records, this option affects all data.
Adding to a List (recommended): Right-click on the entry -> List Management -> Add to a Global While List. This option does the same as the classification rule, but faster. The entries no longer showed up as a false positive after that because they are on the white list. Also, this action can be taken for malicious artifacts. Users can simply add values to a Global Malware/Black List.
For Sysmon:
Setting as Trusted (optional): Right-click on the entry -> Actions -> Set as trusted. This option sets the entry risk score to 0 and shows it as trusted. This option is recommended for single or unique entries.
Adding to a Classification Rule (recommended): Right-click on the entry -> Rule Management -> Add Value as a Classification Rule -> Set the priority of the classification rule -> Scroll down and click on the "Save & Force Run This Rule" button. This option is recommended for the classification of the captured records, this option affects all data.
Adding to a List (recommended): Right-click on the entry -> List Management -> Add to a Global While List. This option does the same as the classification rule, but faster. The entries no longer showed up as a false positive after that because they are on the white list. Also, this action can be taken for malicious artifacts. Users can simply add values to a Global Malware/Black List.
Adding Values to the Sysmon Exclusions (highly recommended): Right-click on the entry -> Sysmon Rules -> Add to Image Exclusion (This exclusion type can be changed for artifact type). This option is highly recommended because with this we exclude the values, and this provides great optimized Sysmon data.
Using AI Auto Exclusion Future (highly recommended): Please navigate to "Settings & Reporting" -> "AI Settings". Click on the "Save" button under the "AI Analysis Auto Exclusion Settings" section, this action will save the settings with default parameters. After that, please enable the "Can you identify the Windows Sysmon processes creating excessive traffic in the last day and show them to me to add to the Sysmon Exclusion Rules?" question, users can simply click on the three dots on the right side of the grid, and select "Enable" option. These two actions will start the auto-exclusion process in the background.
Manuel Exclusion with AI: Click on the robot icon on the top right side of the grid and select "Can you identify the Windows Sysmon processes creating excessive traffic in the last day and show them to me to add to the Sysmon Exclusion Rules?" question. This action will show the last 1 day's traffic on the sysmon analysis. On the new page, users can click on the three dots and select these three options; "Check all recommended" -> "Add All Checked to Image & Network Access" -> "Add All Checked to Exclusions (Image, Network & per Relevant Event ID).
Last updated