Hello all,
I am working with custom reports containing alert.id metakey so I can summarize the alerts generated for some time range.
However I am experiencing a high number of false positives in these reports.
I would like to know if there is a way to use the RSA NetWitness intelligence to optimize these reports and reduce the number of false positives.
I am starting to use the solution recently so I don't know the best practices and the better way to create more efficient reports.
Could any one help me with this? Is there some tips to get better reports or some document of best practices for it?
Thanks in advance.
Hi Renato,
Have a look at the post I made here: Whitelisting a false positive
Once you have a meta key to store the reason that you consider the traffic safe, you can then use && !exists safe.traffic in your report rules to exclude any traffic you consider safe.