Applies To:
Halcyon Console and Agent
Overview:
A false positive occurs when legitimate activity is identified as risky or malicious.
- Legitimate Alert: If well-founded, we escalate to the customer and initiate the eviction process for the ransomware attacker.
- False Positive: If the alert is deemed a false positive, we use one or more targeted remediation steps to ensure it doesn’t recur.
Halcyon ensures false positives are minimized by continuously refining both our whitelisting and machine-learning processes in the following ways:
-
Hash Whitelisting
- Allows a specific executable hash to run.
- If the file changes (e.g., via an upgrade), it may generate another alert.
-
Certificate Whitelisting
- Allows any binary signed by a particular certificate to run.
- If the executable is signed by the same organization, no new alerts are created.
-
Known Good Software Signature
- Created after a false positive has been resolved via Hash Whitelisting.
- Permits software updates (new versions, functionality changes) without triggering fresh alerts, provided core elements remain consistent.
-
Model Retraining
- Occurs regularly to prevent repeated false positives.
- Whitelisted or tagged executables with a Known Good Software Signature are added to the training or testing bucket so future model updates recognize it as safe.
Action:
When the Halcyon platform generates prevention alerts or detections, the Threat Response team immediately triages those alerts to determine if they are legitimate or a false positive and, if legitimate, escalates to the customer to achieve resolution. You can learn more about the ThreatResearch Alerts Triage Process here.
As an Administrator, you can also self-manage False Positive remediation by analyzing the alerts, identifying if the detected activity is legitimate, and creating appropriate overrides for those legitimate activities. You can learn more about Overrides in these Knowledge Base articles:
Comments
0 comments
Please sign in to leave a comment.