If an anomaly represents unusual behavior that does not indicate a security incident (for example, an employee who has a new project that requires an unusual number of record downloads), that anomaly should be marked as a false positive. The information you provide to resolve anomalies trains Threat Protection on how to handle anomalies within your organization.
Anomalies can be marked as false positives by a user with Incident Handler permissions.
To mark an anomaly as False Positive:
- Go to Incidents > Anomalies > Anomalies.
- In the Anomalies table, select the specific anomaly you wish to resolve.
- In the Anomalies Cloud Card, select Status as False Positive to remove the anomaly from the Anomalies list.
Once updated, a successful message is displayed at the bottom of the page.
IMPORTANT: This action cannot be undone.