Hey all, this may seem like a simple question.
I'm getting the following alert for a known DNS lookup.
risk.suspisious = dns_extremely_low_ttl
threat.category = suspicious
threat.source = netwitness
Now the alert is being generated when hosts are doing a DNS lookup to our proxy pac file which I do now has a very low TTL because of a round robin approach.
So because I know it's a false positive what would be the best way to 'whitelist' or tell SA 'yep, I know that one, you can ignore it'.