Managing false positives

This section explains how to manage the False Positives supplier on the Feeds tab. Make sure that the General tenant is selected from the drop-down list that has all available tenants, in the upper-left area of the window.

You can access the false positives list by clicking the Manage False Positives button in the Filtering rules for feeds section.

Managing the false positives list

To access the false positives list, click the Manage False Positives button.

The False Positives window opens:

cybertrace_web_feeds_cfg_white_list

False Positives list

You can edit the false positives list of indicators as follows:

Select the URL, Hash, or IP address tab to manage the group you want.
On the URL tab, you can specify a URL containing a wildcard symbol * (for example, example.com/testpage/*, which will match URLs such as example.com/testpage/test1 and example.com/testpage/test/long_url).

Starting from Kaspersky CyberTrace version 4.0, the * symbol in the URL is not used as a wildcard. The * just means the "asterisk."

Kaspersky CyberTrace will apply normalization rules to any URL that you add on the URL tab and which is not yet contained in the indicator database. Thus, the representation of these URLs may change. For example, if you add a URL that contains a port, this port value will be removed. For instructions on how Kaspersky CyberTrace normalizes a URL, see subsection "URL normalization rules" below.
Every indicator must be on a separate line in the text box.

The false positives list is checked only after all events from a thread have been matched against all the suppliers. The main purpose of the false positives list is to enable Kaspersky CyberTrace to ignore detections for trusted indicators. If any feed produces a detection, but a given indicator is found in the false positives list, Kaspersky CyberTrace does not generate a detection event. In this case, on the Dashboard tab, in the Supplier statistics table, the value in the False positives column corresponding to the supplier that produced the detection is incremented by one. The values in the False positives column show how many false detections were produced by each supplier. For more information about the Dashboard, see section "Kaspersky CyberTrace Dashboard".

URL normalization rules

Any URLs added to the false positives list on the URL tab will be normalized according to the rules specified in section "URL normalization rules".

Page top