Resolving detections

You can resolve a detection to change its state from Active and remove it from the default view.

FortiGuard Labs curates detection rule logic over time. When the resolution ratio shows a high rate of False Positives, FortiGuard Labs will take steps to determine what changes are necessary in order to increase rule performance.

Detection resolutions are your direct feedback line to FortiGuard Labs. We recommend resolving detections to improve the quality of the rules you see.

To resolve a detection:

Click the Detections tab and open a rule in the list.
In the Impacted Devices tab, select the detection you want to resolve.
Click the Actions menu at the right side of the page and select Resolve Detection. The Resolve <IP address> dialog opens.

From the Resolution drop down, select one of the following options.

Resolution State	Description	Example
True Positive: Mitigated	The threat was investigated and resolved, contained, or removed.	Malware was discovered on a host.
True Positive: No Action	The threat has been acknowledged, however no action was taken to resolve it.	An analyst ran a post-exploit tool for testing purposes.
False Positive	The matched events don't represent the reported activity.	A signature for malware C2 instead flagged web browser traffic to a common site.
Unknown	The status or veracity of the detection is unknown.	You have no idea what you're even looking at, nor what to do with it.

(Optional) In the Comments field, enter brief description of the resolution.
Click Resolve detection.
(Optional) To unresolve a detection, select Unresolve Detection from the action menu.

Resolving a detection does not delete the detection, it is simply removes it from the default view. Detections remain in your account in perpetuity and can be viewed or pulled via the API at any time.

To view resolved deflections, click the Filter button in the Impacted Devices tab on the Rule page and select Resolved Detections.

To bulk resolve detections:

Click the Detections tab and open a rule in the list.
In the Impacted Devices tab, click the select all box in the first column of the table. The Bulk Resolve icon is displayed.
Click Bulk Resolve Detections.
In the Impacted Devices tab, click Bulk Resolve Detections. the Resolve X Detections dialog opens.

From the Resolution drop down, select one of the following options.

Resolution State	Description	Example
True Positive: Mitigated	The threat was investigated and resolved, contained, or removed.	Malware was discovered on a host.
True Positive: No Action	The threat has been acknowledged, however no action was taken to resolve it.	An analyst ran a post-exploit tool for testing purposes.
False Positive	The matched events don't represent the reported activity.	A signature for malware C2 instead flagged web browser traffic to a common site.
Unknown	The status or veracity of the detection is unknown.	You have no idea what you're even looking at, nor what to do with it.

(Optional) In the Comments field, enter brief description of the resolution.
Click Resolve detections.

Resolving detections

You can resolve a detection to change its state from Active and remove it from the default view.

Detection resolutions are your direct feedback line to FortiGuard Labs. We recommend resolving detections to improve the quality of the rules you see.

To resolve a detection:

Click the Detections tab and open a rule in the list.

In the Impacted Devices tab, select the detection you want to resolve.

Click the Actions menu at the right side of the page and select Resolve Detection. The Resolve <IP address> dialog opens.

From the Resolution drop down, select one of the following options.

Resolution State	Description	Example
True Positive: Mitigated	The threat was investigated and resolved, contained, or removed.	Malware was discovered on a host.
True Positive: No Action	The threat has been acknowledged, however no action was taken to resolve it.	An analyst ran a post-exploit tool for testing purposes.
False Positive	The matched events don't represent the reported activity.	A signature for malware C2 instead flagged web browser traffic to a common site.
Unknown	The status or veracity of the detection is unknown.	You have no idea what you're even looking at, nor what to do with it.

(Optional) In the Comments field, enter brief description of the resolution.

Click Resolve detection.

(Optional) To unresolve a detection, select Unresolve Detection from the action menu.

To view resolved deflections, click the Filter button in the Impacted Devices tab on the Rule page and select Resolved Detections.

To bulk resolve detections:

Click the Detections tab and open a rule in the list.

In the Impacted Devices tab, click the select all box in the first column of the table. The Bulk Resolve icon is displayed.

Click Bulk Resolve Detections.

In the Impacted Devices tab, click Bulk Resolve Detections. the Resolve X Detections dialog opens.

From the Resolution drop down, select one of the following options.

Resolution State	Description	Example
True Positive: Mitigated	The threat was investigated and resolved, contained, or removed.	Malware was discovered on a host.
True Positive: No Action	The threat has been acknowledged, however no action was taken to resolve it.	An analyst ran a post-exploit tool for testing purposes.
False Positive	The matched events don't represent the reported activity.	A signature for malware C2 instead flagged web browser traffic to a common site.
Unknown	The status or veracity of the detection is unknown.	You have no idea what you're even looking at, nor what to do with it.

(Optional) In the Comments field, enter brief description of the resolution.

Click Resolve detections.

User Guide

Resolving detections

Resolving detections

To resolve a detection:

To bulk resolve detections:

Resolving detections

To resolve a detection:

To bulk resolve detections: