Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

ML-driven Potential False Positive Detection

  1. Last updated
  2. Save as PDF
Limited Availability: ML-driven Potential False Positives (an advanced DLP capability) is a Limited Availability feature that requires additional entitlement. Contact Skyhigh Support or your account manager for assistance. 

The Policy Incidents page displays incidents detected and categorized as potential false positives. This page offers detailed insights into each potential false positive, providing crucial information for understanding the statistics associated with them, including recent trends and changes in the volume of incidents within your organization. Security Operations Center (SOC) analysts can use this information to track and validate trends, prioritize investigations, and enhance the overall accuracy and efficiency of threat detection and response. 

To understand how the ML model identifies Potential False Positives, see About ML-driven Potential False Positives.

IMPORTANT: Skyhigh Security does not use your confidential data to train its AI-ML models for false positive detection and only uses incident metadata. For further details, refer to the Skyhigh SSE Privacy Data Sheet document.

Enable ML- driven Potential False Positives 

To view Potential False Positive incidents on the Policy Incidents page, you must first enable this capability on the Policy Settings page. For details see, Incident Management

1.png

NOTE: Once the toggle is enabled, you can view statistics and search for potential false positive incidents on the Policy Incidents page.
A count of 0 indicates that the toggle is currently off, which is common for new users. Existing users who have disabled the toggle can still view past counts of potential false positives from the last 30 days. However, new counts will only appear once the toggle is re-enabled.

View and Validate ML-driven Potential False Positive Incidents

On the Policy Incidents page, you can:

  1. View Potential False Positives Summary. You can view the total count of potential false positive incidents and track recent trends in their volume. This includes the number of sanctioned DLP incidents automatically classified as potential false positives over the last 30 days, highlighting any increases or decreases compared to the previous 30-day period. To view the details of Total Incidents and False Positives Summary, see Policy Incidents.
  2. Filter for Potential False Positives. This capability applies specifically to Sanctioned DLP Incidents. Filter the Incident Type as Sanctioned DLP, and apply the Machine Learning Status filter as Potential False Positive to display all potential false positive incidents within your organization.

2.png

  1. Review and Validate Potential False Positives. The Sanctioned DLP Incident cloud card includes a Potential False Positive section within the Machine Learning Status component. This addition allows for efficient validation of incidents classified as potential false positives. You can review these incidents and update their Incident Status as needed, such as marking them as false positives, opened, under investigation, or with any other relevant status on the Sanctioned DLP Policy Incident cloud card. By taking these actions, you can effectively investigate potential false positives, ensuring accurate incident classification and improving your organization's overall incident management process.

3.png

How the Policy Incident Page Populates Data?

Once you enable the ML-driven Potential False Positives on Policy Settings, the Data Loss Prevention (DLP) engine initiates a comprehensive weekly scan of all policy incidents, regardless of their current status. This proactive approach is designed to identify incidents that may be incorrectly flagged as violations, thereby reducing the number of false positives that administrators need to address.

During the scan, the DLP engine uses advanced machine-learning algorithms to analyze each incident. It detects common patterns that have been previously identified and manually marked false positives. By examining a variety of attributes associated with these incidents, the DLP engine can effectively classify which incidents may qualify as potential false positives.

During the scan, the following incident metadata will be used to analyze incidents:

  • Rule: The specific DLP rule that triggered the incident.
  • Service: The cloud service provider involved in the incident.
  • Severity: The severity level assigned to the incident, which can influence its classification.
  • File Type: The type of file associated with the incident, as certain file types may be more prone to false positives.
  • Username: The user account involved in the incident, which can provide context for the activity.
  • Activity: The specific actions (Upload, Download, and more) taken that led to the incident being flagged.

After the scan is completed, you can access summarized insights regarding potential false positive incidents on the Policy Incidents page. These insights provide a clear overview of the number of incidents identified as potential false positives, allowing you to quickly assess the situation. This information is crucial for streamlining your incident management process, enabling you to focus on genuine threats while minimizing the time and resources spent on false alarms. By leveraging the capabilities of the ML-driven Potential Scan, organizations can enhance their overall security posture and improve the efficiency of their DLP strategies.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. TOPIC ID 817