Strixl LabsStrixl.Labs
Get started
Docs/False-positive learning

False-positive learning

The point of giving an analyst a Mark benign button is to make the queue shorter next week than it is this week. This page explains what happens when you mark a pair, how suppression propagates across your workspace, and how to undo a verdict you regret.

What gets suppressed

When you mark a pair as benign, the engine records the pattern that produced it: the destination, the TLS fingerprint, the behavioral signature. On your next upload, if a new pair matches that pattern, it's automatically suppressed from the flagged list.

The match is not an exact IP match. If you dismiss Windows Update traffic from one source, the engine learns thedestination + fingerprint + behaviorsignature, and every machine in your network hitting Windows Update gets the same treatment. You don't have to dismiss it a hundred times.

Workspace propagation

Suppressions are workspace-scoped. Your teammates in the same workspace inherit your verdicts immediately. If one analyst has already cleared the corporate EDR's phone-home pattern, nobody else has to.

Suppressions do notcross workspaces. A verdict in your Production workspace doesn't affect your Client-A workspace.

Confirm vs dismiss

Confirm maliciousis not the mirror of Mark benign. Confirming a pair doesn't escalate similar future pairs automatically. What it does:

  • Locks the pair's state so future uploads don't re-score it from scratch.
  • Contributes to workspace-level statistics (the Dashboard tracks confirmed-malicious pairs over time).
  • In a future release, feeds a workspace-private threat list so the same destination shows elevated severity on subsequent uploads.

Undoing a verdict

Open the pair's investigation panel and click Reset verdict. The suppression is lifted and the pair goes back into the queue on the next upload that includes a matching pattern.

To reset verdicts in bulk, visit Settings, then Workspace, then Verdicts. Every verdict you've issued is listed with the pattern it suppressed, and you can reset individual rows or clear all at once.

Saved-pair limits

Recon plans can save 3 verdicts. Hunter and up save unlimited. If you hit the Recon limit, the oldest verdict is evicted when you add a new one; you'll see a warning before this happens.

Dismissing an actually-malicious pair is the one mistake this system can't catch for you. If you suspect you've mis-dismissed a real beacon, reset the verdict and re-upload the original capture; the engine will re-score it from scratch.

← Previous

Investigation panel

Next →

Exports and reports