Dealing with False Positives

Hey,

I've discovered a false positive in the rule Suspicious JAVA Child Process (which is quite scary at this time of the year...) with the meeting-software Jitsi that should affect some other people. Is there currently a way to report false positives to the detection engineering team, and how would Elastic currently implement them? e.g. through pre-populated exceptions for rules?

The issue type " Tune existing rule" on Github explicitly states: "Suggestion for logic changes to an existing rule". To me this sounds like you're currently not looking for individual false positive reports?

The gist of it: the Jitsi Video Bridge (JVB) component spawns bash commands at startup. This is picked up by detection engine as follows:

Hi @nemhods . Guidance on how to submit false positive reports is available here

1 Like