• Capture Client 3.7
• Overview
  • Description
  • Navigation
  • Guide Conventions
• Dashboard
  • About the Dashboard
  • Global Dashboard
  • Tenant Dashboard
• Alerts and Notifications
  • Accessing Notifications
  • Viewing Alerts
• Threat Investigation
  • Investigating Threats
  • Analyst Verdict
  • Downloading a Threat File
  • Detected Threats
  • Threats Mitigated
  • Performing a Rollback
  • Resolving Threats
  • Blacklisting Threats
  • Benign Threats
• Investigating and Responding to Active Clients
  • SentinelOne Pending Actions
• Investigating and Responding to Active Users
• Enforce Trusted Certificates
• Investigating and Responding to Risky Applications
• SonicWall Support
  • About This Document

Analyst Verdict

The Analyst Verdict feature serves as a place to record the security team's decisions - True Positive, False Positive, or Suspicious.

Analysts can investigate threats for hours or even days to reach a conclusion. A recorded verdict for each threat gives you more visibility about what occurs in your environment: to view the number of True positives, False positives, and the threats that you are not sure about (suspicious). Thus Analyst Verdict helps the team work more efficient. This feature also makes the threats easily searchable for future reference. For example, when you find a suspicious threat entering your environment, click on the link in the Network History of the threat. You can find if the same threat was seen in your network a month ago and a teammate marked it as True Positive. You can mark the same threat True positive without further investigations, or you can add it to the Blacklist as required.

When you run a mitigation action on one or more items, you are prompted to set the Analyst Verdict.

Each threat starts as Undefined.

If you set the Analyst Verdict to True Positive or Suspicious, it does not trigger any changes. If you set the Analyst Verdict to False Positive, the Threat Status changes to Marked as Benign.

It DOES NOT automatically create exclusions or blacklist items.

If you create an exclusion for threats (Threat Actions > Add to Exclusions), the Analyst Verdict automatically changes to False Positive.

If you add threats to the blacklist (Threat Actions > Add to Blacklist), the Analyst Verdict automatically changes to True Positive.

When there is lack of sufficient evidence to establish a threat as either malicious or non-malicious (False Positive), you can update an Analyst Verdict to Suspicious.

To change a threat's Incident Status to Resolved, it must have an Analyst Verdict set.

You can change the Analyst Verdict at any time if you get new information or regret your decision.