Remediate a false positive incident

If you are sure an attack is not a genuine attack, in other words a false positive, you can define how to prevent the incident from happening again. For example, you can add the incident to a protection plan allowlist.

To remediate a false positive incident

1. In the cyber kill chain for the selected incident, click Remediate entire incident. The Remediate entire incident dialog is displayed.
2. In the Analyst verdict section, select False positive.

   

3. In the Prevention actions section, select the Add to allowlist check box. From the displayed protection plan list, select the relevant protection plans.

   This prevention action ensures all detections of the incident will be prevented from being detected for the selected protection plans.

4. Select the Change investigation state of the incident to: False positive check box.
5. Click Remediate.

   Once clicked, the button displays Go to activities. Click Go to activities to review the response actions applied to the incident. For more information, see Understand the actions taken to mitigate an incident.