AnsweredAssumed Answered

Filtering false positives from Alerts

Question asked by Jeremy Kerwin on Nov 17, 2020
Latest reply on Nov 18, 2020 by Jeremy Kerwin

I'm interested in learning what would be best practice for filtering false alerts.

We have a nwfeed file from a threat intel provider that maps IPs, domains and emails to threat actors.

 

An ESA alert is created to alert on those threat actors names and that sometimes causes false positive alerts. It's just a simple alert (select * if alert = <insert actor name>)

 

I don't think I can get into the feed file because it isn't in clear text and the intel vendor won't remove them.

 

We've done our investigation on these alerts and their false positives so I'd like to filter them out as FP, what's the best practice for doing that?

Outcomes