How does auto-whitelisting work and what does it mean to me?
We’re using machine learning models to identify URLs and IPs that are noisy and irrelevant. These indicators will be automatically removed from correlation count, graph visualization, dashboard results, and API responses to give you better relevancy in your investigations. URLs and IPs account for a large majority of IOCs on TruSTAR and that’s why we are starting by focusing on these two IOC types. We will apply automated whitelisting to other IOC types in future releases.
What is the difference between auto-whitelisting and the company whitelisting feature?
Automated whitelisting takes into account the contextual data around the IOC at the report level. So, if an IOC is automatically whitelisted from a present report it could still appear in a future one. However, when you add an IOC to the company whitelist it will never be seen again.
How do I add an IOC to my company whitelist?
There are two ways you can add an IOC to your company whitelist.
- You can add IOCs using the IOCs tab. Click on the eye in the panel toolbar to enable the ability to whitelist a IOC:
- You can also add an IOC to your company whitelist by selecting the IOC on the graph, and then use the information panel on the left.
Will I be able to revert the auto-whitelist decision?
Yes, as long as you have read-write capabilities for the Enclave(s) containing the report you can click on the red X button shown in Figure 1 to revert the automated decision. The reversion will affect all Enclaves associated with that report. For example, if you revert the automated whitelisting decision for an IOC it will now appear as a malicious IOC in all Enclaves associated with the report. The IOC will be counted in the correlation count and will show up in the graph visualization, dashboard results, and API responses.
How does the automation work?
The automated capability relies on three different types of features that are used in our machine learning models:
- Contextual features: The words surrounding the IOC. This is why the capability applies at the report level.
- Lexical features: The types of characters present in the IOC.
Third-party features: The values returned from third-party sources, such as the domain reputation.