Deal with false positives

Can one overrule a triggered detection and response rule via e.g. the API, for example if a false positive is identified by my company? Or does the Kibana SIEM allows an analist to revert any automatic responses?

Hi, Piet -- if I understand your question correctly, yes, it's possible to whitelist alerts by hash, signer, etc. that you or your company determine to be false positives via the API. Once you take this action, we will no longer show alerts for the specific criteria you whitelisted (hash, signer, etc.). I hope that answers your question!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.