Follow these steps:
- Adding an object to the exception list excludes the object value associated with the specified data field from being detected by the current filter.
- In the Workbench app, click the Alert View tab. Click the Workbench ID link of the alert you want to investigate. The alert details screen will appear.
- In the Highlights panel, check the objects involved in each event and choose an object to add as an exception. Take note that you can only add highlighted objects to exceptions. Since impact scope entities are not the alert trigger criteria, they cannot be added as exceptions.
- These added exceptions can be found on the exception list under Suspicious Object Management. Under this app, you can also click + Add to add exceptions you want exclude.
- If the field that you want to exclude can't be added as exception, please close this workbench as false positive:
- In workbench alert view, select the workbench ID you think is false alert. Under the Change Status menu click ✓ Closed - false positive.
- Input the reason why you think this is a false positive alert.
This action cannot prevent similar alerts to be triggered again. However, Trend Micro's back end team will review this false positive alert and improve our detection model if it indeed is a false alert.
- If you want to avoid this alert right now and adding exception is not available for your situation, please contact Trend Micro Support for further help.
- In workbench alert view, select the workbench ID you think is false alert. Under the Change Status menu click ✓ Closed - false positive.