Updated 1 year ago by TruSTAR

Auto-Whitelist is the TruSTAR feature that uses machine learning to identify URLs and IP addresses that are noisy and irrelevant and remove them from correlation count, graph visualization, dashboard results, and API responses. This provides better relevancy in your investigations by removing URLs and IPs that are not useful.

URLs and IP addresses account for a large majority of observables identified by TruSTAR, so they are the current focus of the Auto-Whitelist. TruSTAR may apply automated whitelisting to other observable types in future.

TruSTAR's machine learning models use three types of information when making decisions about what to include on the Auto-Whitelist:

  • Contextual features: The words surrounding the observable. This is why the capability applies at the report level.
  • Lexical features: The types of characters present in the observable.
  • Third-party features: The values returned from third-party sources, such as the domain reputation.

What is the difference between the Auto-Whitelist and the company Whitelist?

The Auto-Whitelist uses contextual data around the observable at the report level. If an observable is automatically added to the Auto-Whitelist from a report created this month, it could still appear in a future report if the context changes.

When you manually add an observable to the company Whitelist, it will never be seen again in your reports or searches.

Can I undo an Auto-Whitelist decision?

Yes, as long as you have read-write capabilities for the Enclave(s) containing the report. If you have these permissions, you can click on the red X button to revert the automated decision. This action affects all Enclaves associated with that report. For example, if you revert the Auto-Whitelist decision for an observable, it will appear as a malicious observable in all Enclaves associated with the report and it will be counted in the correlation count and appear in the graph visualization, dashboard results, and API responses.

How Did We Do?