R7 InsightIDR - need to create a report/dashboard for calculation of the false positive alerts

Hi All,

Has any of you tried to prepare report or dashboard which will show you the amount of false positive alerts. We want to reduce the number the amount of the incoming alerts and focus more on the real threats.

Thanks for your recommendations!


Hi Nadya,
It may be possible to use the investigation audit log for this. Decisions/changes to investigations are logged here and you can use this audit data to build dashboards and reports. See screenshot for a vary basic example

Hi Daragh,
Thanks for you advice! Very much appreciated!
Take care.

where(“action” = “INVESTIGATION_DISPOSITION_ADDED”) groupby(“service_info.new_disposition”)

Seems to be a good query to use, there you could build a Pie or Bar chart to see the percentage of Benign events compared to the Malicious ones for instance

Thanks! David!