False Positives -> Policy Modification
Do you know of a way to have policies ignore events that have already been reviewed and marked as false positive?
Here is my situation:
1. DLP is configured to look for something. PCI is the best example. It does great at finding a credit card number, then telling me it found it. If it matters let us just say we are using the DISCOVER agent.
2. I log in and nod my head that, yes, in fact DLP found a number that looks like a credit card. In some cases I validate that it IS actually a credit card and in other cases I tell it, NO, that is a false positive. In our environment we've files that could contain a number that looks like a credit card and contains other data like dates so I'm having a hard time reducing the false positives to make the policy worthwhile.
3. The next time the DISCOVER agent rolls along it finds the same file again and tells me, again, that it found a credit card number.
I want to mark the event as a false positive and have DLP check the database and not alert me the next time it finds the same false positive.