As you investigate different ContraForce Incidents, you have a number of tools available to help you organize and classify the incidents. One of the most important tools is Classifications.
Classification vs Status
It is important to understand the difference between Classification and Status. Status is related to the work state of an investigation. The options for Status are Active, Closed, or New. Classification is based on the outcome of an incident investigation. To some, classifications can be confusing to understand. Below is a breakdown of when to use each Classification.
True Positive should be selected when the incident was deemed to be an actual malicious threat to your environment.
Benign Positive should be selected when the incident seemed suspicious, but was actually legitimate activity from a user.
False Positive should be selected when the incident was mistakenly triggered by incorrect logic in the incident itself or inaccurate data that was used to determine legitimacy of the incident.
When selecting this option, you will notice you have the choice to classify between both of these triggers.
Undetermined is best for incidents where the cause is ultimately unknown or the outcome does not fall in line with either of the classifications above. In the latter case, it is best recommended to include a comment containing everything that was discovered in the process of investigating this incident.
If you have any questions about how to use Classifications, please contact us at email@example.com.