False positive learning
Analysts can teach SOCPilot which alerts are false positives, duplicates or expected — every suppression is explainable and auditable.
Last updated 4/7/2026
SOCPilot learns from analyst decisions. When an analyst marks an alert as false positive, duplicate or expected behavior, that decision is captured as feedback for future triage.
How feedback is captured
- Each closed alert records the decision, reason, and the evidence that drove it
- Suppression rules can be created from a closed alert with a scope (entity, integration, alert type) and an expiry
- Suppression rules are versioned and visible in Settings → Triage learning
What stays auditable
- Every suppression rule has an author, justification and review date
- Suppressed alerts still flow into the system as "suppressed" — they are never silently discarded
- Auditors and SOC leads can review the suppression list at any time
What never gets suppressed
- Critical-severity alerts that would impact production assets are never auto-suppressed by the model
- Suppressions cannot be applied retroactively to delete prior records
Related articles