You can use the False Positive Tuning function to prevent
false positive events from creating offenses.
Before you begin
You can tune false positive events from the event
list or event details page.
About this task
You can tune false positive events from the event
list or event details page.
You
must have appropriate permissions for creating customized rules to
tune false positives.
For more information
about roles, see the IBM
QRadar Administration Guide.
Procedure
-
Click the Log Activity tab.
-
Optional. If you are viewing events in streaming mode,
click the Pause icon to pause streaming.
-
Select the event that you want to tune.
-
Click False Positive.
-
In the Event/Flow Property pane on the False
Positive window, select one of the following options:
- Event/Flow(s) with a specific QID of <Event>
- Any Event/Flow(s) with a low-level category of <Event>
- Any Event/Flow(s) with a high-level category of <Event>
-
In the Traffic Direction pane, select one of the following
options:
- <Source IP Address> to <Destination IP Address>
- <Source IP Address> to Any Destination
- Any Source to <Destination IP Address>
- Any Source to any Destination
-
Click Tune.