AnsweredAssumed Answered

Whitelisting a false positive

Question asked by Jeremy Kerwin on Aug 2, 2016
Latest reply on Aug 4, 2016 by Kevin Clerks

Hey all, this may seem like a simple question.

I'm getting the following alert for a known DNS lookup.


risk.suspisious = dns_extremely_low_ttl

threat.category = suspicious

threat.source = netwitness


Now the alert is being generated when hosts are doing a DNS lookup to our proxy pac file which I do now has a very low TTL because of a round robin approach.

So because I know it's a false positive what would be the best way to 'whitelist' or tell SA 'yep, I know that one, you can ignore it'.