False Positive Triage

Reports a false positive, turns off all monitors, resets all ratings, waits 25 hours for CAL to pick up the change, and finally deletes the indicator and republishes all groups associated with the indicator.

There are two versions of this playbook. One which works in ThreatConnect instances before version 5.7 and one that works in versions >= 5.7.

Pre 5.7 Version

This playbook triages false positives by:

  • reporting a false positive
  • turning off all monitors (DNS/WHOIS)
  • resetting all ratings

Everything in the pre-5.7 directory will work in ThreatConnect versions before 5.7. The pre-5.7/False Positive Triage Standalone - pre 5.7.pbx playbook can be installed on its own and provides a user-action trigger to triage false positives. There are also two interfaces (pre-5.7/False Positive Triage HTTP Interface.pbx and pre-5.7/False Positive Triage Trigger Interface.pbx) which provide different interfaces with the false positive triage component here. The advantage of this structure (as described here) is that it is more flexible and interface-agnostic.

Documentation

Triggers

  • UserAction

Datastores

This playbook uses the following datastores:

  • POST organization/falsePositives/None:
    • Datastore Organization:
    • Datastore Entity: #App:1445141972:tc.indicator!TCEntity

Post 5.7 Version

This playbook triages false positives by:

  • reporting a false positive
  • turning off all monitors (DNS/WHOIS)
  • resetting all ratings
  • waiting for 25 hours (to make sure CAL gets the new information)
  • deleting the indicator
  • republishing all groups previously associated with the indicator

Everything in the post-5.7 directory will only work in ThreatConnect versions after the release of version 5.7.

Documentation

Triggers

  • UserAction