Every ArcSight user or administrator is faced with false positive rule triggers while delivering threat intelligence feed into ArcSight.
This mostly happens when threat intel source events are not excluded from rule condition or connector tries to resolve all IP addresses and host names that are processed.
Adherence to these simple rules will allow you to avoid false positive correlation:
As a result, you get a lot of excessive events that cause false positive rule triggers.
To disable ‘Name Resolution’ option on a connector, go to:
In all Use Cases from SOC Prime TI source events are excluded in the main filters.