In an Elastic alert rule (Security | rules) under about | advanced settings, there is a field False positive examples I've tested with 2 IP address and triggered a virus (eicar) detection rule with one of these IP adresses in the false positive example field. I did not notice any difference in result between the 2 hits on this alert rule. I've looked at the documentation, but found the documentation ([Create a detection rule | Elastic Security Solution [8.15] | Elastic]) not very helpful.
Is there somebody who knows the explaination of the working and meaning of the available fields under advanced settings in an alert rule?
This field has purely informative purpose. It does not have any effect on rule execution and number of generated alerts.
It can be used to give examples on rule details page of possible false positives, while triaging existing alerts.
For example, section False Positive Analysis for one of Elastic Security rules, gives insights in which cases alerts might be false positives
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.