we have around 2000 cyber-security attack tickets, most of them are false positives, we have run ids/ips for more than 10 years, now we spent a lot of time every day to manual check false postive, is there any automatic way or smart way to filter false positives, any tool or program we can use? thanks
we have around 2000 cyber-security attack tickets, most of them are false positives, we have run ids/ips for more than 10 years, now we spent a lot of time every day to manual check false postive, is there any automatic way or smart way to filter false positives, any tool or program we can use?
This is not really a forensic question … it's closer to IT security.
This is almost impossible to answer at this distance. You probably want to talk to the relevant IDS/IPS people, or to the people who provide any SIEM or reporting tools you may have that chews on IDS/IPS/other data and creates tickets. You want to talk to someone who can sit down and understand how your particular workflow actually works.
For example, you may be using triggers/rules with to high false positive rate to start with. If you have any control of the rules, you may need to add a 'once a false positive is detected, modify the ruleset so that it doesn't trigger again for this particular case' activity. (You may want to keep track of bad rules – if it leads to too many false positives, you may want to disable it rather than have to wade through false positives.)
Or, you want to add that kind of filter to your SIEM ingress point (or wherever), or at your reporting tool ingress point. That clearly depends entirely on what equipment you're using … so you really need to talk to someone who know the tools you use well.
While there may be someone here who does, chances are probably better in tool-specific forums.