False positives configuration

False positive rule chains

When an event or flow successfully matches the rule, it bypasses all other rules in the CRE to prevent it from creating an offense.

Creating false positive building blocks

When you create false positive building blocks within QRadar, you must review the following information:

Naming conventions

Use a methodology similar to the default rule set, by creating new building blocks by using the following naming convention:

<CustomerName>-BB:False Positive: All False Positive Building Blocks, where <CustomerName> is a name that you assign to the false positive building block.

False positive building blocks

Building blocks must contain the test: and when a flow or an event matches any of the following rules. This test is a collection point for false positive building blocks and helps you to quickly find and identify customizations. Note the following guidelines when you create your false positive building blocks:

• When the <CustomerName>-BB:False Positive: All False Positive Building Block is created, add it to the test in the rule FalsePositive: False Positive Rules and Building Blocks.

• When the new false positive building block is created, you can create new building blocks to match the traffic that you want to prevent from creating offenses. Add these building blocks to the <CustomerName>-BB:False Positive: All False Positive Building block.

• To prevent events from creating offenses, you must create a new building block that matches the traffic that you are interested in. Save as a building block <CustomerName>-BB:False Positive: <name_of_rule>, then edit <CustomerName>-BB:False Positive: All False Positive building blocks, to include the rule that you created.

Note: If you add a rule or building block that includes a rule to the FalsePositive: False Positive Rules and Building Blocks rule, the rule that you add runs before the event bypasses the CRE and might create offenses by overriding the false positive test.