Random false positive match on keyword for Endpoint incidents
Last Updated June 14, 2017
A false positive match on a keyword in the middle of a word may appear in an Endpoint incident.
A policy was configured to look for Social Security Numbers with a keyword rule looking for 'SS' and 'SSN', whole word only.
An incident appeared with a match on the 'ss' at the end of the word Success or Process.
The false positive on the “ss” match on “Success” is due to chunking. We have a setting called Detection.CHUNK_OVERLAP.int in Advanced Agent Settings which defines how far back of the previous chunk we collect for the next chunk. For this file, that overlap chunk starts at “ss …” causing the false positive.
Modifying the chunk overlap setting, Detection.CHUNK_OVERLAP.int, in Advanced Agent Settings will remove the match for that file.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe