# Whitelisting

Whitelisting allows analysts to suppress false positives by creating precise, targeted rules directly from security alerts. This ensures benign activity is excluded while maintaining full detection coverage.

***

## When to Whitelist

* Only for **confirmed false positives** after validating the activity is legitimate and authorized.
* Always **narrow the scope** — target the exact scenario that triggered the alert. Avoid wildcards (`*`) and overly broad filters.

***

## How to Whitelist

1. Open the false positive alert in the dashboard.
2. Click **Interactions** in the alert details.
3. Select **Whitelist** from the menu.
4. Define the rule using exact fields and values. Test the syntax first in the **Security Detections** interface.
   * Example (narrow):

     ```
     user.name:John AND destination.port:(135 OR 445) AND agent.name:johnPC
     ```
   * Example (O365 Impossible Travel):

     ```
     user.name:"Ethan Harrison" AND source.ip:(221.221.112.112 OR 199.199.123.123)
     ```
5. Provide a **reason for the whitelist** (e.g., "Expected login from approved IPs").
6. Save and apply — the rule takes effect immediately.

***

## Features

* **Instant effect**: Matching alerts are suppressed immediately.
* **Audit trail**: All whitelist actions are recorded in **MySOC → Whitelisting History**.
* **Safe validation**: Rules with invalid syntax are rejected automatically.

***

## Managing Whitelists

* **Edit or Remove**: Go back to the original alert, open **Interactions**, and adjust the rule.
* **Review History**: Use the **Whitelisting History** dashboard to audit all entries and prune outdated ones.

***

## Best Practices

* Use the **narrowest criteria** (e.g., user, host, port, IP).
* Always document the reason for creating the whitelist.
* Periodically review and remove old whitelists to prevent detection gaps.

***

## Video Walkthrough

{% embed url="<https://www.youtube.com/embed/2iY8UNd3S4w?si=QZ8ytV6-Laj0Z0ZU>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.threatdefence.com/soc-analyst-guide/security-detections/whitelisting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.