Hiding false positives, revoked credentials, etc.
Sometimes, Security for Confluence will find false positives, credentials which have already been revoked, etc. If this happens, you can mark the finding as reviewed. This prevents the finding, as well as any other findings which exactly match it, as reviews the current and future scans.
Security for Confluence has two ways to do this:
Confluence users with contributor permissions can review findings from their alerts, and space administrators, Confluence administrators, and users with read permissions who have been granted explicit app access can review findings from the Security Analysis page. Findings reviewed this way are scoped to the space the finding is in.
Confluence administrators and anyone granted explicit access can review findings globally, on the Soteri Security Settings page.
On the Soteri Dashboard, reviewed false positives are not counted towards the total finding count per space.
Reviewing in the scope of a Space
Users with space contributor permissions can review findings for a particular space.
Reviewing a finding from the Security Analysis
Click the Mark reviewed button on the finding you want to review. This opens a confirmation window.
Marking a finding as reviewed saves the exact string captured by the rule (in this case, AKIAIO5FODNN7EXAMPLE
). That exact string will be marked as reviewed for all existing and future scans.
After the finding is marked as reviewed, all other findings of that exact string will disappear from the Security Analysis.
Reviewed findings can be shown again with the Show reviewed toggle, where they can also be unmarked.
Note that reviewed false positives are scoped to a space; that is, identical findings across multiple spaces must be reviewed separately.
Exporting reviewed false positives
Information about reviewed false positives, such as who marked them reviewed and when, may be exported from the Security Analysis by clicking “Export Space” and then “Reviewed False Positives”.
Note that reviewed false positives are stored independently of any findings. In other words, after clicking “Mark Reviewed” on a finding, that text persists and marks all future matching results as reviewed, even if the original finding is deleted.
You can also export reviewed false positives in all your spaces from the Soteri Dashboard.
Auditing who reviewed findings
When a finding is marked or unmarked reviewed, an audit log event is generated. This audit event includes who made the change, what rule generated the finding, and a link to the Security Analysis for viewing what exactly was reviewed. For more information, see Viewing Audited Events.
Reviewing findings globally
Confluence administrators, or anyone granted explicit access (see Granting Access to Additional Users and Groups ) can add reviewed false positives which apply across all spaces in your Confluence instance using a CSV upload workflow.
Findings which match any of the global false positives show up as “Globally Reviewed” on the Security Analysis pages, and cannot be reviewed in the space scope.
Adding new global false positives
Navigate to the settings page. Then, click on the “Add Reviewed” button under “Globally Review Findings”:
Clicking on this button will open a modal which allows you to download a template for adding global false positives, and select an existing file to upload.
Uploaded files should be CSVs with a single column titled “Match text”. Every row will be interpreted as a case-sensitive globally reviewed text to add.
You can copy over “Match text” column in an export to create the upload file.
An audit log event is generated when globally reviewed false positives are added. See Viewing Audited Events for more information.
Deleting globally reviewed false positives
Navigate to the settings page. Then, click on the “Remove Reviewed” button under “Globally Review Findings”:
Clicking on this button will open a modal which allows you to download a template for removing globally reviewed false positives, and select an existing file to upload.
Uploaded files should be CSVs with a single column titled “Match text”. Every row will be interpreted as a case-sensitive globally reviewed text to remove.
You can un-review by copying the “Match text” from an export of globally reviewed findings.
An audit log event is generated when globally reviewed false positives are removed. See Viewing Audited Events for more information.
Exporting globally reviewed false positives
Navigate to the settings page. Then, click on the “Export” button under “Globally Review Findings”:
Exports are in CSV format and include:
The exact text that is considered reviewed
Who reviewed it
When it was reviewed
Globally reviewed false positives can also be exported via REST API.