Resolving detections
You can resolve a detection to change its state from Active and remove it from the default view.
FortiGuard Labs curates detection logic over time. When the resolution ratio shows a high rate of False Positives, FortiGuard Labs will take steps to determine what changes are necessary in order to increase detector performance.
Detection resolutions are your direct feedback line to FortiGuard Labs. We recommend resolving detections to improve the quality of the detectors you see. |
To resolve a detection:
- Click the Detections tab and open a detector in the list.
- In the Impacted Devices tab, select the detection you want to resolve.
- Click the Actions menu at the right side of the page and select Resolve Detection. The Resolve <IP address> dialog opens.
- From the Resolution drop down, select one of the following options.
Resolution State Description Example True Positive: Mitigated The threat was investigated and resolved, contained, or removed. Malware was discovered on a host. True Positive: No Action The threat has been acknowledged, however no action was taken to resolve it. An analyst ran a post-exploit tool for testing purposes. False Positive The matched events don't represent the reported activity. A query for malware C2 instead flagged web browser traffic to a common site. Unknown The status or veracity of the detection is unknown. You have no idea what you're even looking at, nor what to do with it. -
(Optional) In the Comments field, enter brief description of the resolution.
-
Click Resolve detection.
-
(Optional) To unresolve a detection, select Unresolve Detection from the action menu.
Resolving a detection does not delete the detection, it is simply removes it from the default view. Detections remain in your account in perpetuity and can be viewed or pulled via the API at any time. To view resolved deflections, click the Filter button in the Impacted Devices tab on the detector page and select Resolved Detections. |
To bulk resolve detections:
- Click the Detections tab and open a detector in the list.
- In the Impacted Devices tab, click the select all box in the first column of the table. The Bulk Resolve icon is displayed.
- Click Bulk Resolve Detections.
- In the Impacted Devices tab, click Bulk Resolve Detections. the Resolve X Detections dialog opens.
- From the Resolution drop down, select one of the following options.
Resolution State Description Example True Positive: Mitigated The threat was investigated and resolved, contained, or removed. Malware was discovered on a host. True Positive: No Action The threat has been acknowledged, however no action was taken to resolve it. An analyst ran a post-exploit tool for testing purposes. False Positive The matched events don't represent the reported activity. A query for malware C2 instead flagged web browser traffic to a common site. Unknown The status or veracity of the detection is unknown. You have no idea what you're even looking at, nor what to do with it. -
(Optional) In the Comments field, enter brief description of the resolution.
-
Click Resolve detections.