Learn how to mark false-positives in your discovery results and prevent them from
appearing in future scans.
About this task
After defining policies for discovering sensitive data and identifying datasources to scan, you
can run the discovery scan and review the results. While reviewing results of a discovery scan, you
may find some false-positive matches in the results. You can add these false positives to an
exclusion group so they are ignored in subsequent scans. If automatically
populating a sensitive objects group based on discovery scan results, removing false positives from
that sensitive objects group ensures that actions or policies defined for that group function
correctly.
This example uses a discovery scenario with relational-type datasources, but the
procedure applies to all datasource types with minor differences. For example, relational-type
scenarios use the Add to group of tables to exclude action while
document-type scenarios use the Add to group of collections to exclude
action.
Procedure
-
Navigate to
and select the discovery scenario to review.
- Review discovery scan results and add false-positives to exclusion groups.
- Click to open the Review report section and see the results of
the discovery scan.
If there are no results, this may mean that the discovery process has
not yet run. Click to open the Run discovery section to see the last-run
timestamp.
- In the results table, select one or more rows containing false-positive data and click
the Add to group button to define a grouping action.
Group for
exclusion based on the granularity of the selected data:
- Add to Group of Schemas to Exclude
- Add to Group of Tables to Exclude
- Add to Group of Tables/Columns to Exclude
It is possible to add one false-positive to an exclusion group of schemas and another
false-positive to an exclusion group of tables or columns.
- Use the Select Exclude Group dialog to select or create an
exclusion group.
- Click OK to close the dialog and return to the discovery
results table.
Attention:
- The original results remain in the table after adding false-positive data to exclusion groups.
This is because the result viewer shows the results of the most recent discovery scan. To ensure
that the objects have been added, review the exclusion group members using the Group
Builder.
- Actions performed from the results table are considered ad hoc actions that
run only as invoked from the table. These actions will not appear in the
section of the discovery scenario, and
they will not run automatically as part of the discovery scenario or related classification
processes.
- Add exclusion groups to the rule that triggered the false-positive match.
- In the Review report section, use the Rule
description column in the results table to identify which rule matched the
false-positive data.
- Click to open the What to discover section and select the rule
from the Selected classification rules table. Click the icon to begin editing
the rule.
- From the Edit rule page, click to open the Rule
criteria section, and click the Show advanced options
link.
- Add the exclusion group to either the Exclude schema,
Exclude table, or Exclude table column
parameter.
Choose the granularity that matches your selection for the false-positives in
the discovery results.
- Click the Save button to save the rule.
- Click the Save button to save the discovery
scenario.
- Remove false-positive data from the sensitive objects group.
Discovery
template rules automatically add matches to a sensitive objects group, and your own rules may define
a similar behavior. To prevent the false-positives from appearing in future discovery scans, remove
the false-positive data from the sensitive object group.
- Navigate to .
- Select the appropriate sensitive objects group and click the icon.
- On the Members tab of the Edit group
dialog, select the false-positives and click the icon.
- Click the Save button to update the group.
Results
The next time you run the discovery scenario, the false-positives
identified using this procedure will not appear as matches.