Operations
False-positive review and allowlisting
Review suspected false positives and collect the details needed for allowlisting or Cybora support.
Last updated: June 15, 2026
On this page
Threat intelligence can occasionally match infrastructure that a customer considers legitimate in their environment. A consistent review workflow helps distinguish a real false positive from expected blocking.
Collect evidence
Capture:
- Indicator that matched.
- Timestamp and timezone.
- Firewall rule or policy name.
- Source and destination.
- Application or service affected.
- Business impact.
- Whether the traffic was blocked, rejected, or only logged.
Local allowlisting
If the firewall supports local exceptions, create the narrowest possible allowlist entry. Prefer a specific destination, source, application, or policy scope instead of bypassing the entire feed globally.
Submit for review
Send the collected evidence to Cybora support when you believe an indicator should be removed or reviewed globally. Include logs and the reason the destination is expected to be safe.
Follow-up
After an indicator is reviewed, remove temporary local exceptions if they are no longer needed. Keep a short record of why the exception existed and when it was closed.