Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Customize a Feed to Prevent False Positives

EDR: How to Customize a Feed to Prevent False Positives

Environment

  • EDR Console: All Versions

Objective

Customize a Response Feed to address False Positives or to limit data collection

Resolution

To Customize a Query:

  1. Navigate to the Threat Intelligence Page.
  2. Click on the threat reports for the feed to be tuned.
  3. Toggle the “Ignore” button from “No” to “Yes” on the report producing the false positive.
  4. Click on details to go into a specific details page.
  5. Click on the blue hyperlinked “indicator” at the page bottom of page. This opens up a process search page with the query that the threat feed is running.
  6. Add or remove search terms to the query to find a configuration that eliminates the noise in the environment but will still catch malicious/unusual behavior.
  7. Click the Wrench Icon and “Add Watchlist”.
  8. Set the alert and save changes.
To Ignore a Query:
  1. Navigate to the Threat Intelligence Page.
  2. Click on the threat reports for the feed to be tuned.
  3. Toggle the “Ignore” button from “No” to “Yes”. The report will no longer run and will not tag data on the server.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎01-03-2019
Views:
2497
Contributors