What does "Close as False Positive" button actually do?

  • 12 April 2024
  • 0 replies

Userlevel 3
Badge +1

A lot of you may have noticed a button appearing on your alerts that says "Close as False Positive." But what does it actually do? Well, let me tell ya! For our reference, this is the button I'm referring to:


So what does it do? Well, I'm sure you've probably clicked it thinking that it would prevent that type of alert from showing up again (believe me, I did the same thing). But that's not exactly what it does. When you click "Close as False Positive," you're essentially closing the alert in the same way you would if you clicked the "Close" button. The only difference is that when you click "Close as False Positive," you're actually providing Lacework with some extra feedback. This feedback is then sent to our ML/data team for further analysis. At which point they can make adjustments to the detection engine based on that feedback.


That's all good and dandy, but what if I want to prevent that type of alert from showing up again? Well, in that case, you'll want to create exceptions for the corresponding policy. To learn more about writing policy exceptions, check out our docs on Compliance Policy Exceptions and Suppressing Behavior Anomaly Alerts. Alternatively, you can sign up for a Live Security Workshop where a dedicated Customer Success Architect (CSA) team member will help walk you through the process 🤗.


Feel free to leave a like or reply with any questions, comments, or concerns!





Tuning Lacework/Customization



0 replies

Be the first to reply!