Skip to main content
Introducing Polarity Intel Edition: Streamlining Intel Distribution for SecOps
Polarity Intel Edition
Request a Demo

5 Reasons to Mark a False Positive in ThreatConnect

By taking an intelligence-driven approach, we can start to connect the dots in a more interesting fashion

ThreatConnect allows you to curate almost every facet of your intelligence — including indicator reputation. One of the best ways you can help keep a tidy shop is to flag an indicator as a False Positive (FP) when you encounter it. Notionally we’re all familiar with what this should do: it tells your colleagues (both human and software) that this indicator isn’t actually a threat and can be skipped in your day-to-day analysis.

By taking an intelligence-driven approach however, we can start to connect the dots in a more interesting fashion. Beyond signaling your coworkers, flagging an indicator as a False Positive has some interesting and far-reaching implications. Read on to see what impact you can have across the world with a single button click!

1. Decrease in ThreatAssess Score

Our ThreatAssess algorithm leverages input from users to fine-tune an indicator’s reputation. The most immediate impact of clicking the False Positive button is that it will affect the score of an indicator. On a 1000-point scale, an indicator will drop as it continues to accrue FP votes. This will include votes within your organization, votes across organizations, and account for the age of votes over time!  The ThreatAssess score has an impact on how your team can quickly understand and triage indicators, and can also impact integrations downstream.

2. False Positive Filters

As FP votes accumulate on an indicator, there are controls built across the platform to allow you to sort data accordingly. Since FP’s are a valuable form of context around your intelligence, we want to make sure you can access it in meaningful ways that help you inform decisions:

  • Use filters on the Browse screen to remove indicators with FP votes and clean up your workflow
  • Create Dashboard cards to identify which feeds and data sources are resulting in high concentrations of FP’s in your network
  • Leverage our API and integration-based filters to fine-tune your tolerance for suspected FP indicators across your ecosystem

3. Global CAL counts

If you’re participating in ThreatConnect’s CAL™ (Collective Analytics Layer), all of the FP votes on an indicator will be sent to be anonymized and aggregated. These totals are what drive the rows you see in the Analytics card on an indicator’s Details Page. This provides valuable insight into how all analysts view an indicator. In addition to informing (and being informed) by your team, you can benefit from the analysis of the entire ThreatConnect user base.

4. Feed Evaluation

CAL doesn’t just count all of the FP votes, it puts them to work. One of CAL’s key uses for FP votes is feed evaluation, in the form of Report Cards. If you’re ever wondering which open source feeds to enable in your system, Report Cards are there to help! CAL computes key metrics of how each feed is performing across the ThreatConnect ecosystem, and your FP votes can help inform the Reliability Score of a feed. As I discussed in our blog post about Report Cards, Reliability Score is a measure of how many, and how egregious, the FP’s are within a given feed. We’re all familiar with the garbage in/garbage out problem, this is one of our best ways of identifying the big offenders!

5. CAL Analytics

There are multiple other analytics that CAL runs based on FP votes, each of which could fill its own blog post. CAL incorporates FP votes at a fundamental level into things like indicator reputation, classification, indicator status, and more!  There’s more to consider than just the number of FP votes, so CAL uses its massive dataset and computing power to weigh additional factors such as FP vote timeliness, consensus, and other things we find to be significant.

The more data CAL accumulates, the smarter these analytics get!

About the Author

ThreatConnect

By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at www.threatconnect.com.