Viewing and Reporting False Positives
- 20 Mar 2023
- 2 Minutes to read
-
Print
-
DarkLight
Viewing and Reporting False Positives
- Updated on 20 Mar 2023
- 2 Minutes to read
-
Print
-
DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
Follow the steps in this article to access view and report false positives for an Indicator on its Details screen.
Important
Standard Users can report false positives and view the date on which they were reported; Read Only Users can only view the date on which false positives were reported. Full names of users who reported false positives will be displayed only for users in the same Organization or for users who have a role that allows the viewing of System accounts (e.g., Administrator, Accounts Administrator, or Community Leader). Users who can view the full names of users who have reported false positives may also delete false-positive reports if their Organization role is Standard User, Sharing User, or Organization Administrator.
New Details Screen
- Navigate to the Details screen for an Indicator.
- On the Overview tab, scroll down to view the Observations, False Positives & Impressions card on the right side of the screen (Figure 1). False-positive data are displayed in the following sections on the card:
- Local Instance: The False Positives subsection displays false-positive data derived from your local ThreatConnect instance, including the total number of times the Indicator was reported as a false positive, the date when it was last reported as a false positive, and false positives reported by API users in your Organization.
- Global CAL™: The Daily False Positives chart represents the number of times the Indicator was reported as a false positive day by day across all ThreatConnect instances opted in to CAL. The False Positives subsection displays false-positive data derived from CAL, including the date when the Indicator was last reported as a false positive, the total number of times it was reported as a false positive, and the number of times it was reported as a false positive in the last 7 days.
- To report the Indicator as a false positive, select the Report False Positive checkbox at the top right of the Local Instance section. After you select this checkbox, a View Details button will be displayed below the Report False Positive checkbox, an updated false-positive count will be displayed next to Reported, and the current date will be displayed next to Last Reported (Figure 2).
- Click the View Details button to display the False Positive List window, which provides a list of users who reported false positives and the dates on which the false positives were reported (Figure 3). If desired, click Delete
to delete a false-positive report.
Legacy Details Screen
- Navigate to the legacy Details screen for an Indicator.
- On the Overview tab, scroll down to the Observations/False Positivescard on the right side of the screen (Figure 4). False-positive data are displayed in the following sections on the card:
- False Positives Reported: The number of times the Indicator has been reported as a false positive.
- Last Reported: The most recent date when the Indicator was reported as a false positive.
- API User Table: The table at the bottom of the card displays false positives reported by API users and the most recent date when they reported the Indicator as a false positive.
- To report the Indicator as a false positive, select the Report False Positive checkbox. After you select this checkbox, an updated false-positive count and a View Details link will be displayed next to False Positives Reported, and the current date will be displayed next to Last Reported (Figure 5).
- Click the View Details link to display the False Positive List window, which provides a list of users who reported false positives and the dates on which the false positives were reported (Figure 6). If desired, click Delete
to delete a false-positive report.
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
20047-02 v.09.A
Was this article helpful?
