Browse docs

Operations

False-positive review and allowlisting

Review suspected false positives and collect the details needed for allowlisting or Cybora support.

Last updated: June 15, 2026

On this page

Threat intelligence can occasionally match infrastructure that a customer considers legitimate in their environment. A consistent review workflow helps distinguish a real false positive from expected blocking.

Collect evidence

Capture:

  • Indicator that matched.
  • Timestamp and timezone.
  • Firewall rule or policy name.
  • Source and destination.
  • Application or service affected.
  • Business impact.
  • Whether the traffic was blocked, rejected, or only logged.

Local allowlisting

If the firewall supports local exceptions, create the narrowest possible allowlist entry. Prefer a specific destination, source, application, or policy scope instead of bypassing the entire feed globally.

Submit for review

Send the collected evidence to Cybora support when you believe an indicator should be removed or reviewed globally. Include logs and the reason the destination is expected to be safe.

Follow-up

After an indicator is reviewed, remove temporary local exceptions if they are no longer needed. Keep a short record of why the exception existed and when it was closed.