Log In

How To Manage False Positives and Optimizing the System

The portal can detect false positives, at that moment users should exclude those entries. In every table users can set entries as trusted, can add values to the white or black lists and also can append values to the classification rules. With that records are evaluated correctly and the portal provides better visibility. Every table has a bulk operation option in the "..." section.

  • For Autoruns, Processes and Inventory Assets:

    • Setting as Trusted (optional): Right-click on the entry -> Actions -> Set as trusted. This option sets the entry risk score to 0 and shows it as trusted. This option is recommended for single or unique entries.

    • Adding to a Classification Rule (recommended): Right-click on the entry -> Rule Management -> Add Value as a Classification Rule -> Set the priority of the classification rule -> Scroll down and click on the "Save & Force Run This Rule" button. This option is recommended for the classification of the captured records, this option affects all data.

    • Adding to a List (recommended): Right-click on the entry -> List Management -> Add to a Global While List. This option does the same as the classification rule, but faster. The entries no longer showed up as a false positive after that because they are on the white list. Also, this action can be taken for malicious artifacts. Users can simply add values to a Global Malware/Black List.

  • For Sysmon:

    • Setting as Trusted (optional): Right-click on the entry -> Actions -> Set as trusted. This option sets the entry risk score to 0 and shows it as trusted. This option is recommended for single or unique entries.

    • Adding to a Classification Rule (recommended): Right-click on the entry -> Rule Management -> Add Value as a Classification Rule -> Set the priority of the classification rule -> Scroll down and click on the "Save & Force Run This Rule" button. This option is recommended for the classification of the captured records, this option affects all data.

    • Adding to a List (recommended): Right-click on the entry -> List Management -> Add to a Global While List. This option does the same as the classification rule, but faster. The entries no longer showed up as a false positive after that because they are on the white list. Also, this action can be taken for malicious artifacts. Users can simply add values to a Global Malware/Black List.

    • Adding Values to the Sysmon Exclusions (highly recommended): Right-click on the entry -> Sysmon Rules Mgmt. -> Add to Image & Network Exclusion (This exclusion type can be changed for artifact type). This option is highly recommended because with this we exclude the values, and this provides great optimized Sysmon data.

PreviousUtilizing the Platform Effectively and Interpreting the Artifact Analysis ResultsNextAI Features

Last updated