Carbon Black EDR lets you ignore future instances of a false positive alert from a threat feed. You can choose to ignore an individual alert, or specify that all alerts matching your search criteria should be ignored in the future.

Feeds use a variety of criteria to determine if a file or event is a threat, and you might not agree with all of the alerts that are generated by certain feeds. When you review alerts and determine that an alert is not reporting an actual threat, you can mark that alert as a “false positive”, so you can eliminate it from the list of alerts that require your attention.

Note: Only threat feed alerts can be designated as alerts to ignore. Alerts from watchlist matches are always triggered, since watchlists are assumed to use criteria that your Carbon Black EDR users select.

Procedure

  1. On the navigation bar, click Triage Alerts.
  2. In the Alerts table, select the check box to the left of the alert.
  3. In the Status column, select Mark as False Positive in the drop-down menu.
    The status column displaying a mark as false positive option
  4. In the Mark as Resolved False Positive dialog, you can ignore future events from this report by moving the slider button to Yes. Click Resolve.
    The mark as resolved false positive dialog
    Note: Marking events from multiple alerts to be ignored involves searching for the alerts you want to ignore, confirming that the results are what you expect, and then making a bulk resolution.