False positives are incidents created when a file that is classified as sensitive by the data classification technique is either a non-sensitive file or the file transfer is initiated on official grounds. A warning message indicating the user is accessing/transferring sensitive data is reverted with a response indicating whether the action is legitimate or the file is non-sensitive, and thus, a false positive. Such false positives can either be resolved or not be considered, based on the nature of the issue.
If it is an event-based trigger (file upload, file transfer, email upload, file printing), the corresponding mediums (applications/devices/websites) should be added to the enterprise list. If it is based on data classification, the corresponding data rule(s) should be analyzed to further reduce false positives. In either case, the sysadmin acts on whether the false positive is qualified for remediation or if it can be ignored altogether.
False positives can be remediated in two ways:
To fine tune regex criteria, increase the occurrence count of the pattern.
To fine tune the document matching criteria, improve the match percentage
To fine tune the keyword matching criteria, update the document with more relevant terms
If frequent false positives are raised due to a predefined criteria, report the issue to the Endpoint DLP Plus support team.