Hi All,
Has any of you tried to prepare report or dashboard which will show you the amount of false positive alerts. We want to reduce the number the amount of the incoming alerts and focus more on the real threats.
Thanks for your recommendations!
Nadya
Hi Nadya,
It may be possible to use the investigation audit log for this. Decisions/changes to investigations are logged here and you can use this audit data to build dashboards and reports. See screenshot for a vary basic example
Hi Daragh,
Thanks for you advice! Very much appreciated!
Take care.
Nadya
where(“action” = “INVESTIGATION_DISPOSITION_ADDED”) groupby(“service_info.new_disposition”)
Seems to be a good query to use, there you could build a Pie or Bar chart to see the percentage of Benign events compared to the Malicious ones for instance
Thanks! David!
