Tuning false positives

You can tune false positive events and flows to prevent them from creating offenses.

Before you begin

To create a new rule, you must have the Offenses > Maintain Custom Rules permission for creating customized rules to tune false positives. For more information about roles and permissions, see the IBM QRadar User Guide.

Procedure

  1. Click the Log Activity tab, or the Network Activity tab.
  2. Select the event or flow that you want to tune.
  3. Click False Positive.
    Note: If you are viewing events or flows in streaming mode, you must pause streaming before you click False Positive.
  4. Select one of the following Event or Flow Property options:
    • Event/Flow(s) with a specific QID of <Event>
    • Any Event/Flow(s) with a low-level category of <Event>
    • Any Event/Flow(s) with a high-level category of <Event>
  5. Select one of the following Traffic Direction options:
    • <Source IP Address> to <Destination IP Address>
    • <Source IP Address> to Any Destination
    • Any Source to <Destination IP Address>
    • Any Source to any Destination
  6. Click Tune.

    QRadar prevents you from selecting Any Events/Flow(s) and Any Source To Any Destination. This change creates a custom rule and prevents QRadar from creating offenses.

    For more information about tuning false positives, see the IBM QRadar User Guide.