---
title: "False Positives Overview | ThreatConnect"
slug: "false-positives-overview"
description: "This article describes false positives in ThreatConnect and the corresponding minimum role and prerequisites for this feature."
tags: ["Enriching Data"]
updated: 2024-03-18T15:23:55Z
published: 2024-03-18T15:23:55Z
canonical: "knowledge.threatconnect.com/false-positives-overview"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt
> Use this file to discover all available pages before exploring further.

# False Positives Overview

## Overview

A false positive refers to an Indicator that has been erroneously classified as malicious. ThreatConnect® allows users to report false positives, although this feature is limited to once a day per Indicator per user; thus, different users may report the same Indicator once on the same day. The status of the Event Group can also be set to “False Positive,” and, if desired, all Indicators associated to the Event can be marked as false positives.

## Before You Start

| Minimum Role(s) | - Organization role of Read Only User (for viewing false-positive counts and dates on which false positives were reported) - Organization role of Standard User (for reporting false positives) - Organization role of Organization Administrator (for enabling data from API users to be included in the observations and false-positive counts) |
| --- | --- |
| Prerequisites | An [](/v1/docs/the-threatconnect-data-model)[Indicator or Event Group](https://knowledge.threatconnect.com/v1/docs/the-threatconnect-data-model) |

---

*ThreatConnect® is a registered trademark of ThreatConnect, Inc.*

20047-01 v.08.A

## Related

- [The Details Screen](/the-details-screen.md)