Managing false positives

This section explains how to manage the False Positives supplier on the Feeds tab. Make sure that the General tenant is selected from the drop-down list that has all available tenants, in the upper-left area of the window.

You can access the false positives list by clicking the Manage False Positives button in the Filtering rules for feeds section.

Managing the false positives list

To access the false positives list, click the Manage False Positives button.

The False Positives window opens:

cybertrace_web_feeds_cfg_white_list

False Positives list

You can edit the false positives list of indicators as follows:

The false positives list is checked only after all events from a thread have been matched against all the suppliers. The main purpose of the false positives list is to enable Kaspersky CyberTrace to ignore detections for trusted indicators. If any feed produces a detection, but a given indicator is found in the false positives list, Kaspersky CyberTrace does not generate a detection event. In this case, on the Dashboard tab, in the Supplier statistics table, the value in the False positives column corresponding to the supplier that produced the detection is incremented by one. The values in the False positives column show how many false detections were produced by each supplier. For more information about the Dashboard, see section "Kaspersky CyberTrace Dashboard".

URL normalization rules

Any URLs added to the false positives list on the URL tab will be normalized according to the following URL normalization rules:

  1. Remove dot segments ("." and "..") according to the algorithm described in RFC 3986, section 5.2.4 Remove Dot Segments (https://www.ietf.org/rfc/rfc3986.txt):

    http://www.example.com/../a/b/../c/./d.html => http://www.example.com/a/c/d.html

  2. Remove the protocol:

    http://example.com => example.com

  3. Convert internationalized domain names according to the Punycode algorithm described in RFC 3492 (https://www.ietf.org/rfc/rfc3492.txt):

    тест.рф => xn--e1aybc.xn--p1ai

  4. Remove the www prefix:

    www.example.com => example.com

  5. Remove repeated slashes:

    example.com//dir/test.html => example.com/dir/test.html

  6. Remove the trailing slash at the end of the URL:

    example.com/ => example.com

  7. Remove the authorization information:

    login:password@example.com => example.com

  8. Remove the port number:

    example.com:80/index => example.com/index

  9. Remove the #fragment reference:

    example.com#fragment => example.com

  10. Remove dots at the end of the host name:

    example.com./index.html => example.com/index.html

  11. Convert percent-encoded symbols to UTF-8 according to RFC 3986 (https://www.ietf.org/rfc/rfc3986.txt) and RFC 2279 (https://www.ietf.org/rfc/rfc2279.txt).
  12. Convert all characters to lower case:

    EXAMPLE.COM => example.com

  13. Convert the IP address (if any) leading to the requested host to dot-decimal notation:

    0112.0175.0117.0150 => 74.125.79.104

Page top