Auto-Allow List

Updated 2 weeks ago by Sachit Soni

Auto-Allow List is the TruSTAR feature that uses machine learning to identify URLs and IP addresses that are noisy and irrelevant and remove them from correlation count, graph visualization, dashboard results, and API responses. This provides better relevancy in your investigations by removing URLs and IPs that are not useful.

URLs and IP addresses account for a large majority of observables identified by TruSTAR, so they are the current focus of the Auto-Allow List. TruSTAR may apply automated Allow Lists to other indicator types in future.

TruSTAR's machine learning models use three types of information when making decisions about what to include on the Auto-Allow List:

  • Contextual features: The words surrounding the observable. This is why the capability applies at the report level.
  • Lexical features: The types of characters present in the observable.
  • Third-party features: The values returned from third-party sources, such as the domain reputation.

What is the difference between the Auto-Allow List and the company Allow List?

The Auto-Allow List uses contextual data around the observable at the report level. If an observable is automatically added to the Allow List from a report created this month, it could still appear in a future report if the context changes.

When you manually add an observable to the company Allow List, it will never be seen again in your reports or searches.

Can I undo an Auto-Allow List decision?

Yes, as long as you have read-write capabilities for the Enclave(s) containing the report. If you have these permissions, you can click on the red X button to revert the automated decision. This action affects all Enclaves associated with that report. For example, if you revert the Auto-Allow List decision for an observable, it will appear as a malicious observable in all Enclaves associated with the report and it will be counted in the correlation count and appear in the graph visualization, dashboard results, and API responses.

How Did We Do?