This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Dealing with False Positives in App Rules

Go to solution
JeremyKerwin
Valued Contributor
Valued Contributor

‎2022-10-20 02:27 AM

What's the best practice for dealing with false positives with regard to App Rules.

 

For example, we have an application that runs out of the 'AppData' directory and is unsigned. Because of this the Respond module continually alerts that it thinks that something is malicious and triggers a rule from the Endpoint Bundle.

 

I have a list of file hashes that are clean and not malicious that I want to 'allowlist' from these types of alerts.

I don't want to remove the meta completely from the system but I also don't want to these alerts to keep triggering. 

 

What are my options here and what is the 'best course of action' for this case.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions
1 REPLY 1

Go to solution
JeremyKerwin
Valued Contributor
Valued Contributor

‎2022-11-03 06:28 AM

This blog post by @CodySpooner is apparently what I need to read and digest.

https://community.netwitness.com/t5/netwitness-community-blog/endpoint-bundle-tuning/ba-p/678774

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.