A false positive refers to an Indicator that has been erroneously classified as malicious. ThreatConnect® allows users to report false positives, although this feature is limited to once a day per Indicator per user; thus, different users may report the same Indicator once on the same day. There is no limit on the number of false positives that may be reported by API users. The status of the Event Group can also be set to “False Positive,” and, if desired, all Indicators associated to the Event can be marked as false positives.
Viewing and Reporting False Positives
- On the top navigation bar (Figure 1), place the cursor over Browse and then over the Indicators option. Click on an object (Host in this example) to display a results table (Figure 2).
- Click one of the entries, and the Details drawer for that entry will be displayed (Figure 3).
- Click the Details icon at the top right corner of the drawer, and the Overview tab of the Details screen will be displayed (Figure 4). Alternatively, hover over the object's entry in the table in Figure 2 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
- Scroll down to see the Observations/False Positives card on the right-hand side (Figure 5), which includes three items regarding false positives:
- Report False Positive checkbox: Select the checkbox to report the Indicator as a False Positive.
- False Positive Reported: Displays the number of times the Indicator has been reported as a false positive.
- Last Reported: Displays the last date that the Indicator was reported as a false positive.
- Select the Report False Positive checkbox, and a View Details hyperlink will appear next to False Positives Reported, along with an updated false-positive count. Also, a date will appear next to Last Reported (Figure 6).
- Click on the View Details link, and the False Positive List window will be displayed, providing details about the users who reported false positives and the dates on which the false positives were reported (Figure 7). If desired, click the trash icon to delete a false positive.
NOTE: Users can report false positives and view the date on which they were reported. Full names of users who reported false positives will be displayed only for users in the same Organization or for users who have a role that allows the viewing of System accounts (e.g., Administrator, Accounts Administrator, or Community Leader). Users who can view the full names of users who have reported false positives may also delete false-positive reports.
Including False Positives Reported by API Users
- Organization Administrators and higher can enable data provided by API users to be included in the Observations/False Positives card. To do so, hover the cursor over the Settings icon on the top navigation bar (Figure 1) and select Org Settings from the dropdown menu (Figure 8).
- The Membership tab of the Organization Settings screen will be displayed (Figure 9).
- Click the pencil icon corresponding to an API user in the Account column. The API User Administration window will be displayed (Figure 10).
- Select the Include in Observations and False Positives checkbox, and click the SAVE button.
- The Observations/False Positives card will now display a list of how many times each user selected made observations and reported false positives on the Indicator.
Setting an Event Status to False Positive
The Status of an Event Group can be set to “False Positive,” and, if desired, Indicators associated to the Event can be marked as false positives.
- Navigate to the Details screen of an Event (Figure 11).
- Scroll down to the Details card (Figure 12).
- Click the Status (“Needs Review” in Figure 12), and it will turn into a dropdown menu (Figure 13).
- Select False Positive from the menu, and then click the checkmark icon to confirm (Figure 14).
- The Apply False Positive window will be displayed (Figure 15).
- Click the YES button to mark all Indicators associated to the Event as false positives.