How can you mark a Phishing Event as a False Positive
With event based Phish reporting, the reality is that some software can yield false positive click events: which are the representation of one or more phish clicks that are NOT initiated by a person but instead via a software system. These false positives skew the cyber risk data for a company when they occur. And, in most cases, these false positives result from whitelisting issues that cause a simulation email to be analyzed by a security tool, where the goal of the whitelisting was to avoid that interaction.
Therefore, we have added a new feature to the Phishing simulation app which is the ability to mark certain phishing events as false positives. This is a manual process requiring an administrator to select and delete suspected false positive events.
Therefore, we have added a new feature to the Phishing simulation app which is the ability to mark certain phishing events as false positives. This is a manual process requiring an administrator to select and delete suspected false positive events.
If a Member/Owner admin has identified an event that is a false positive, they can mark events as false positives individually or in bulk by navigating to the events list and from the "3 dots" icon next to each event select the option "Ignore".
This action will immediately mark the selected event as false positives and will be moved to a list called false positives that could be accessible from the route: .../event-details/false-positives/.
There are some cases where false positives will originate primarily from a few or a single IP address. Within the Events section of the application, admins can search, sort and/or filter by IP address in order to help the ability to identify similar false positives, and simultaneously 'Ignore' them.
If an admin mistakenly marks an event as a false positive, they can undo the task by navigating to the false positives list and from the 3 dots icon select the option "Unmark False Positive".
Additionally, Each False Positive event has an option to mark False Positive for all future events from that identified IP address. This workflow eliminates the need to repeatedly mark IP's as false positive - it only needs to be done one time and that IP can be permanently set as a False Positive IP from that point forward.