Remove false-positives from discovery results
Learn how to mark false-positives in your discovery results and prevent them from appearing in future scans.
About this task
After defining policies for discovering sensitive data and identifying datasources to scan, you can run the discovery scan and review the results. While reviewing results of a discovery scan, you may find some false-positive matches in the results. You can add these false positives to an exclusion group so they are ignored in subsequent scans. If automatically populating a sensitive objects group based on discovery scan results, removing false positives from that sensitive objects group ensures that actions or policies defined for that group function correctly.
This example uses a discovery scenario with relational-type datasources, but the procedure applies to all datasource types with minor differences. For example, relational-type scenarios use the Add to group of tables to exclude action while document-type scenarios use the Add to group of collections to exclude action.
- Navigate to and select the discovery scenario to review.
- Review discovery scan results and add false-positives to exclusion groups.
- Click to open the Review report section and see the results of
the discovery scan. If there are no results, this may mean that the discovery process has not yet run. Click to open the Run discovery section to see the last-run timestamp.
- In the results table, select one or more rows containing false-positive data and click
the Add to group button to define a grouping action. Group for exclusion based on the granularity of the selected data:
- Add to Group of Schemas to Exclude
- Add to Group of Tables to Exclude
- Add to Group of Tables/Columns to Exclude
- Use the Select Exclude Group dialog to select or create an exclusion group.
- Click OK to close the dialog and return to the discovery
results table. Attention:
- The original results remain in the table after adding false-positive data to exclusion groups. This is because the result viewer shows the results of the most recent discovery scan. To ensure that the objects have been added, review the exclusion group members using the Group Builder.
- Actions performed from the results table are considered ad hoc actions that run only as invoked from the table. These actions will not appear in the section of the discovery scenario, and they will not run automatically as part of the discovery scenario or related classification processes.
- Click to open the Review report section and see the results of the discovery scan.
- Add exclusion groups to the rule that triggered the false-positive match.
- In the Review report section, use the Rule description column in the results table to identify which rule matched the false-positive data.
- Click to open the What to discover section and select the rule from the Selected classification rules table. Click the icon to begin editing the rule.
- From the Edit rule page, click to open the Rule criteria section, and click the Show advanced options link.
- Add the exclusion group to either the Exclude schema,
Exclude table, or Exclude table column
parameter. Choose the granularity that matches your selection for the false-positives in the discovery results.
- Click the Save button to save the rule.
- Click the Save button to save the discovery scenario.
- Remove false-positive data from the sensitive objects group. Discovery template rules automatically add matches to a sensitive objects group, and your own rules may define a similar behavior. To prevent the false-positives from appearing in future discovery scans, remove the false-positive data from the sensitive object group.
- Navigate to .
- Select the appropriate sensitive objects group and click the icon.
- On the Members tab of the Edit group dialog, select the false-positives and click the icon.
- Click the Save button to update the group.