To reduce the number of false positives, you may want to create False Positive rules. Similarly to Detection and Response (D&R) rules, False Positive rules are created on per tenant level. This means that if you have more than one organization you want to apply the rule to, you will want to
re-create the same rule in multiple organizations, or
using our infrastructure as code functionality, push your FP rules to multiple tenants within seconds.
There are multiple ways to create a False Positive rule in LimaCharlie web app.
Create a False Positive (FP) rule from detections
This is the quickest and the most common way to create a FP rule. On every detection, you can click the
Mark False Positive button.
Clicking the button will pre-populate the details of the event and automatically generate a draft False Positive rule which you can edit before saving. The details about the structure of the False Positive rules can be found in our technical documentation.
After the rule is saved, it will appear in the False Positive Rules section and can be edited/deleted there.
Create a False Positive rule from scratch
While creating False Positive (FP) rule from detections is a common and easy way to reduce the number of false positives, you do not need to wait for the detection to happen before creating a FP rule. The False Positive Rules section allows you to create a False Positive rule from scratch.
To create a new False Positive rule, click the
New Rule button.
This will open a rule editor allowing you to create a new rule.
An FP rule is structured with the same format at the detection component of a D&R rule. The main difference is that the rule applies to the content of a detection, as can be seen in the
Detections section of the web app.
To learn more about writing FP and D&R rules, visit our technical documentation.
After you click
Save Rule, you will get the ability to set a rule name as well as an Expiry Date (optional). Setting an expiry date allows you to create a rule that will expire at a certain time.
Please note that expiry times must be set in the user's preferred time (not in UTC).