We installed one of the solution packs that included a policy called "Network Security". There are predefined rules for hacker tools, keyloggers, and GoToMyPC Activity. I am trying to determine if this policy is even worthwhile to leave enabled.
I keep finding incidents that are created on terms like "AMAC", "sfind", etc. But I don't understand how I would know if those incidents are actual threats or just false positives. For instance, most of our PDF files that people email out seem to contain at least one instance of "aMaC", or something similar. The rest of the document is just the regular jumbled mess you would expect to see in a PDF, with an occaisional recognizable word, phrase, or sentence.
Other phrases causing false positive incidents to be created are RAYTOWN (there is a real Raytown, Missouri), and Kismet (we have a valid user whose name is Kismet). I have added exceptions for these, but they still seem to slip through in various forms at least a few times a week.
Has anyone else here had a reason to keep this policy enabled?