I published an article on the IBM Security Intelligence blog : Incident Response: 5 Steps to Prevent False Positives. The article describes how false positives look like and how they can interfere with your incident response and threat intelligence processes.
I propose 5 steps to prevent false positives, including
- Prevent false positives from being added to threat intel report
- Notify analysts on likelihood of false positives in threat intel reports
- Report sightings, observables and false positives
- Inform analysts about sightings
- Disable the indicator to streamline cyber threat intel