A false positive refers to an Indicator that has been erroneously classified as malicious. ThreatConnect® allows users to report false positives, although this feature is limited to once a day per Indicator per user; thus, different users may report the same Indicator once on the same day. There is no limit on the number of false positives that may be reported by API users. The status of the Event Group can also be set to “False Positive,” and, if desired, all Indicators associated to the Event can be marked as false positives.
- On the top navigation bar (Figure 1), place the cursor over BROWSE and then over the INDICATORS option. Click on an object (HOST in this example) to display a results table (Figure 2).
- Click one of the entries, and the Details flyout for that entry will appear (Figure 3).
- Click the Details icon at the top right corner of the flyout, and the Overview tab of the Details screen will appear (Figure 4). Alternatively, hover over the object's entry in the table in Figure 2 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
- Scroll down to see the Observations/False Positives card on the right-hand side (Figure 5), which includes three items regarding false positives:
- Report False Positive checkbox: Check the box to report the Indicator as a False Positive.
- False Positive Reported: Displays the number of times the Indicator has been reported as a false positive.
- Last Reported: Displays the last date that the Indicator was reported as a false positive.
- Click the Report False Positive checkbox, and a View Details hyperlink will appear next to False Positives Reported, along with an updated false-positive count. Also, a date will appear next to Last Reported (Figure 6).
- Click on the View Details link, and the False Positive List window will appear with details (Figure 7).
- In order to enable data provided by API users to be included in the Observations/False Positives card, hover the cursor over the Settings icon on the top navigation bar (Figure 1) and select ORG SETTINGS from the dropdown menu (Figure 8).
- The Organization Settings screen will appear (Figure 9).
- Click the Modify icon corresponding to an API user in the Account column. The API User Administration window will appear (Figure 10).
- Check the Include in Observations and False Positives checkbox, and click the SAVE button.
- The Observations/False Positives card will now display a list of how many times each user selected made observations and reported false positives on the Indicator.
NOTE: Users can report false positives and view the date on which they were reported. Full names of users who reported false positives will be displayed only for users in the same Organization or for users who have a role that allows the viewing of System accounts (e.g., Administrator, Accounts Administrator, or Community Leader). Users who can view the full names of users who have reported false positives may also delete false-positive reports.
Setting an Event Status to False Positive
The Status of an Event Group can be set to “False Positive,” and, if desired, Indicators associated to the Event can be marked as false positives.
- Navigate to the Details screen of an Event (Figure 11).
- Scroll down to the Details card (Figure 12).
- Click the Status (“Needs Review” in Figure 12), and it will turn into a dropdown menu (Figure 13).
- Select False Positive from the menu and click the checkmark icon (Figure 14).
- The Apply False Positive window will appear. Click YES to mark all Indicators associated to the Event as false positives.