This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Filtering false positives from Alerts

Anonymous
Not applicable

‎2020-11-17 03:14 AM

I'm interested in learning what would be best practice for filtering false alerts.

We have a nwfeed file from a threat intel provider that maps IPs, domains and emails to threat actors.

 

An ESA alert is created to alert on those threat actors names and that sometimes causes false positive alerts. It's just a simple alert (select * if alert = <insert actor name>)

 

I don't think I can get into the feed file because it isn't in clear text and the intel vendor won't remove them.

 

We've done our investigation on these alerts and their false positives so I'd like to filter them out as FP, what's the best practice for doing that?

0 Likes
2 REPLIES 2

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2020-11-17 12:51 PM

This looks like a good use for using Context Hub lists in your rules: Alerting: Configure a Context Hub List as an Enrichment Source 

 

Even better, if your environment is at 11.5+ you can add/remove your indicators from Context Hub blacklists and whitelists auto-magically using the @RSAContext annotation : https://community.rsa.com/docs/DOC-110233 


Mr. Mongo
0 Likes

Anonymous
Not applicable
In response to JoshRandall

‎2020-11-18 02:23 AM

Thanks Josh, that sounds perfect.

And we are on 11.5+ as well.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.