I have a question from an internal customer:
would like to get RSA engaged and find out how to further tune false positives from the spectrum/malware analysis appliance. For instance if we saw a mcafee dat file fire that was a false positive, we would like to tune this filename/hash /various other characteristics from preventing the tool to fire in the future. If we can get this to tune as requested, would like to ingest syslog into the SIEM and look at potential alerts .
The customer already has RSA Security Analytics User Documentation. Is there any other resource he can access to help answer his questions?
Malware - Spectrum - What's involved...
File exclude from Malware analysis?
I would take a look at these items to see where you have the opportunity to filter out files from the malware pipeline.
most likely you will add an app rule to mark that file type/extension or other combination with a value of spectrum.filter into the content metakey to remove that flow from being sent to the MA appliance.