Use Update False Positive as Rule Action
Configure Update False Positive as the rule action to mark an IOC as non-malicious or not dangerous.
To use Update False Positive as the action rule, do the following:
In the action box, select Update False Positive as the rule action.
Select CTIX as the application to implement the rule.
Select an account to identify the instance to run the rule.
Set Update False Positive Status as one of the following:
Unmark: Unmarks the IOC as a false positive to define further actions that may be required for the IOC.
Mark: Marks the IOC as a false positive to define no further actions are required for the IOC.