Environment
- EDR Console: All Versions
Objective
Customize a Response Feed to address False Positives or to limit data collection
Resolution
To Customize a Query:
- Navigate to the Threat Intelligence Page.
- Click on the threat reports for the feed to be tuned.
- Toggle the “Ignore” button from “No” to “Yes” on the report producing the false positive.
- Click on details to go into a specific details page.
- Click on the blue hyperlinked “indicator” at the page bottom of page. This opens up a process search page with the query that the threat feed is running.
- Add or remove search terms to the query to find a configuration that eliminates the noise in the environment but will still catch malicious/unusual behavior.
- Click the Wrench Icon and “Add Watchlist”.
- Set the alert and save changes.
To Ignore a Query:
- Navigate to the Threat Intelligence Page.
- Click on the threat reports for the feed to be tuned.
- Toggle the “Ignore” button from “No” to “Yes”. The report will no longer run and will not tag data on the server.
Related Content