Managing False Positives and Alert Fatigue
Stairwell surfaces findings continuously as files are collected and analyzed. Over time, environments accumulate alerts for objects that have already been reviewed and confirmed as benign. Without a strategy for tracking reviewed items, analysts spend time re-triaging the same objects repeatedly.
This guide explains how to use Opinions, Tags, and Intake Filters together to reduce noise, track your team's decisions, and prevent already-reviewed objects from cluttering future investigations.
The three tools
| Tool | What it does | When to use it |
|---|---|---|
| Opinion | Applies a human verdict to an object (TRUSTED, GRAYWARE, MALICIOUS, etc.) | When you've made a security decision about a specific file |
| Tag | Attaches a free-form label to an object | When you want to categorize, track, or annotate without changing the verdict |
| Intake Filter | Prevents matching files from being collected in the future | When you want to stop seeing a class of files entirely |
These tools work together. A common workflow: review an object, apply a TRUSTED opinion, add a tag for tracking, and optionally create an intake filter to stop collecting it from future assets.
Using Opinions to suppress known-good noise
When Stairwell flags a file that your team has reviewed and confirmed as benign -- an internal tool, a known third-party library, a sanctioned application -- apply a TRUSTED opinion to it.
What TRUSTED does:
- Marks the object as explicitly reviewed and approved by your team.
- Prevents the object from appearing as an unreviewed finding in future triage queues (depending on your workflow and filtering).
- Creates an auditable record of when the decision was made and by whom.
How to set an opinion:
- Open the object's detail page in Stairwell.
- Locate the Opinion field in the metadata panel.
- Select TRUSTED (or the appropriate value) from the dropdown.
- The opinion is applied immediately and applies only within your environment -- other customers are not affected.
Important: Opinions are per-object (per-hash). If an internal tool is regularly updated, each new version will be a different object and will require its own review. Use intake filters (see below) to handle frequently-updated known-good software at scale.
See Opinions for a full description of opinion values.
Using Tags to track review status
Tags let you annotate objects with labels your team defines. Useful tagging conventions include:
| Tag | Meaning |
|---|---|
reviewed | Object has been examined by an analyst |
benign-confirmed | Confirmed safe, no action needed |
vendor-approved | Known vendor software, approved by security team |
remediated | Threat was identified and addressed |
pending-review | Queued for review, not yet examined |
false-positive | Flagged by a rule but confirmed not a threat in this context |
Setting a tag:
- Open the object's detail page.
- Click the Tags field and enter your label.
- Tags are searchable -- you can filter searches and threat reports by tag to find all objects with a given status.
Using tags for remediation tracking: Because Stairwell does not currently have a native "mark as remediated" state, tags are the recommended way to record that a threat has been addressed. Apply a remediated tag after confirming that a malicious file has been removed from affected assets. Combined with a MALICIOUS opinion, this gives your team a clear record of the object's history: detected, triaged, and resolved.
Using Intake Filters to stop collecting specific files
Intake Filters prevent the forwarder from uploading files that match specified criteria. Once a filter is active, matching files are not ingested into Stairwell, which means they won't generate sightings or appear in search results.
Use Intake Filters for:
- High-volume known-good files that appear on every asset (OS binaries, common frameworks)
- Internal tools that are updated frequently and consistently generate noise
- Files that meet your criteria for exclusion from monitoring (low-risk file types, approved software categories)
Caution: Intake Filters create permanent blind spots. Only use them for files where you are confident no variant will pose a security risk. A filter on a specific hash is safer than a filter on a file path or name pattern, which could inadvertently suppress malicious files placed in expected locations.
To configure intake filters, see Intake Filters.
Decision framework: which tool to use
Use this guide to choose the right approach for a given situation:
You've reviewed a specific file and confirmed it's benign:
→ Set opinion to TRUSTED. Optionally add a reviewed or benign-confirmed tag.
You want to track that your team has handled a specific threat:
→ Set opinion to MALICIOUS (if it is one). Add a remediated tag after cleanup.
You're seeing the same known-good internal tool on every asset: → Set opinion to TRUSTED on its current version. If it updates frequently, consider an Intake Filter to stop collecting future versions.
A YARA rule is generating alerts on a file you know is safe in your environment: → Adjust the YARA rule scope, or set a TRUSTED opinion on the specific file. Do not suppress at the intake layer unless you are certain no malicious variant would trigger the same rule.
You want to stop collecting a class of files entirely: → Create an Intake Filter. Use hash-based filters where possible for precision.
Updated 3 days ago