This section explains how to manage the False Positives supplier on the Feeds tab. Make sure that the General tenant is selected from the drop-down list that has all available tenants, in the upper-left area of the window.
You can access the false positives list by clicking the Manage False Positives button in the Filtering rules for feeds section.
Managing the false positives list
To access the false positives list, click the Manage False Positives button.
The False Positives window opens:
False Positives list
You can edit the false positives list of indicators as follows:
On the URL tab, you can specify a URL containing a wildcard symbol *
(for example, example.com/testpage/*
, which will match URLs such as example.com/testpage/test1
and example.com/testpage/test/long_url
).
Starting from Kaspersky CyberTrace version 4.0, the *
symbol in the URL is not used as a wildcard. The *
just means the "asterisk."
Kaspersky CyberTrace will apply normalization rules to any URL that you add on the URL tab and which is not yet contained in the indicator database. Thus, the representation of these URLs may change. For example, if you add a URL that contains a port, this port value will be removed. For instructions on how Kaspersky CyberTrace normalizes a URL, see subsection "URL normalization rules" below.
The false positives list is checked only after all events from a thread have been matched against all the suppliers. The main purpose of the false positives list is to enable Kaspersky CyberTrace to ignore detections for trusted indicators. If any feed produces a detection, but a given indicator is found in the false positives list, Kaspersky CyberTrace does not generate a detection event. In this case, on the Dashboard tab, in the Supplier statistics table, the value in the False positives column corresponding to the supplier that produced the detection is incremented by one. The values in the False positives column show how many false detections were produced by each supplier. For more information about the Dashboard, see section "Kaspersky CyberTrace Dashboard".
URL normalization rules
Any URLs added to the false positives list on the URL tab will be normalized according to the following URL normalization rules:
.
" and "..
") according to the algorithm described in RFC 3986, section 5.2.4 Remove Dot Segments (https://www.ietf.org/rfc/rfc3986.txt):http://www.example.com/../a/b/../c/./d.html => http://www.example.com/a/c/d.html
http://example.com => example.com
тест.рф => xn--e1aybc.xn--p1ai
www
prefix:www.example.com => example.com
example.com//dir/test.html => example.com/dir/test.html
example.com/ => example.com
login:password@example.com => example.com
example.com:80/index => example.com/index
#fragment
reference:example.com#fragment => example.com
example.com./index.html => example.com/index.html
EXAMPLE.COM => example.com
0112.0175.0117.0150 => 74.125.79.104