False positives waste time. At TruSTAR, our mission is to empower analysts to make smarter decisions faster about where to focus precious investigation cycles.
With this in mind, we’re rolling out a new Automated Whitelisting Capability to to reduce false positives and non-relevant IOCs without interrupting analyst workflow. This new feature will immediately provide relief to analysts who are dealing with information overload and let them get on with their jobs.
This new feature is built on top our Enclave architecture, which gives TruSTAR users more control over their data.
How does auto-whitelisting work and how will this affect me?
We’re using machine learning models to identify URLs and IPs that are noisy and redundant. These indicators will automatically be removed from correlation count, graph visualization, dashboard results, and API responses to give you better relevancy in your investigations. URLs and IPs account for a large majority of IOCs on TruSTAR and that’s why we are starting by focusing on these two IOC types. We will apply automated whitelisting to other IOC types in future releases.
What is the difference between auto-whitelisting and the company whitelisting feature?
Automated whitelisting takes into account the contextual data around the IOC at the report level. So, if an IOC is automatically whitelisted from a present report it could still appear in a future one. However, when you add an IOC to the company whitelist it will never be seen again.
How do I add an IOC to my company whitelist?
There are two ways you can add an IOC to your company whitelist.
You can add IOCs using the IOCs tab. Click on the to add the IOC to your company whitelist.
Or, you can add an IOC to your company whitelist by selecting the IOC on the graph, and then using the information panel on the left.
Will I be able to revert the auto-whitelist decision?
Yes, as long as you have read-write capabilities for the Enclave(s) containing the report you can click on the red X button shown in Figure 1 to revert the automated decision. The reversion will affect all Enclaves associated with that report. For example, if you revert the automated whitelisting decision for an IOC it will now appear as a malicious IOC in all Enclaves associated with the report. The IOC will be counted in the correlation count and will show up in the graph visualization, dashboard results, and API responses.
How does the automation work?
The automated capability relies on three different types of features that are used in our machine learning models:
- Contextual features: The words surrounding the IOC. This is why the capability applies at the report level.
- Lexical features: The types of characters present in the IOC.
- Third-party features: The values returned from third-party sources, such as the domain reputation.
If you have any more questions or concerns, we always welcome feedback at firstname.lastname@example.org or to your TruSTAR customer success rep.
To read more about TruSTAR's Data Science initiatives click here.