Tuning false positives with the confidence factor setting

When you tune rules, consider a scale where 50 is the tipping point. On assets of lower importance, you might weigh an X-Force rule to trigger at a higher confidence factor for specific categories, like spam. For example, tuning a rule to a confidence factor of 75 means the rule triggers only when X-Force sees an IP address at or above a confidence factor of 75. This tuning reduces the number of offenses that are generated on lower priority systems and non-critical assets. However, an important system or critical business asset with a confidence factor of 50 triggers an offense at a lower level and brings attention to an issue more quickly.

For your DMZ, choose a higher confidence value such as 95% or higher. You do not need to investigate many offenses in this area. With a high confidence level, the IP addresses are more likely to match the category that is listed. If it is 95% certain that a host is serving malware, then you need to know about it.

For more secure areas of the network, like a server pool, lower the confidence value. More potential threats are identified and you spend less effort investigating because the threat pertains to a specific network segment.

For optimum false positive tuning, manage your rule triggers by segment. Look at your network infrastructure and decide which assets need a high level of protection, and which assets do not. You can apply different confidence values for the different network segments. Use building blocks for grouping commonly used tests so that they can be used in rules.