Configuring an Event or Flow As False Positive
You might have legitimate network traffic that triggers false positive flows and events that makes it difficult to identify true security incidents. You can prevent events and flows from correlating into offenses by configuring them as false positives.
- From the, Log Activity, or Network Activity tabs, click the pause on the upper right to stop real-time streaming of events or flows.
- Select the event that you want to tune.
- Click False Positive.
- Select an event or flow property option.
- Select a traffic direction option.
- Click Tune.
The event or flow that matches the specified criteria will no longer correlates into offenses. To edit false positive tuning, use the User-BB_FalsePositive: User Defined Positive Tunings building block in the Rules section on the Offenses tab.