This feature is available for Engage Core and Engage Pro.
This article covers frequently asked questions and answers on the remediation process for False-Positive URL Clicks for Engage users.
Overview
False positive remediation is an automatic process that corrects a user’s Human Risk Score when a URL they clicked is initially flagged as malicious but later determined to be safe. This ensures their risk score accurately reflects actual security risks rather than penalizing users for clicks that turn out to be harmless.
| Q: | Why does my score get adjusted after I've clicked a link? |
| A: | Sometimes URLs are classified as potentially dangerous when you first click them, but further analysis reveals they're actually safe. When your organization's security team marks a URL as safe in their Threat Protection settings, the system automatically corrects your risk score to reflect this new information. This means you won't be penalized for clicking on something that was incorrectly identified as a threat. |
| Q: | How quickly will scores be corrected? |
| A: | The system checks for reclassified URLs at least once every 24 hours. Once a URL is marked as safe by your security team, the score will be adjusted during the next check, typically within one day. |
| Q: | Will score history be changed retroactively? |
| A: | Yes, historical scores will change. The score will be adjusted from the time of the corrected event forward. |
| Q: | How far back can false positives be corrected? |
| A: | The system looks back 30 days to identify and correct false positives. If you clicked on a URL more than 30 days ago that's now been marked safe, it won't be corrected as a false positive since it's beyond the correction window. |
| Q: | What happens if I've had multiple click events? |
| A: |
The score is recalculated based on the remaining valid events
after the false positive is removed. The system considers: If the false positive was the only event, the user’s actual phishing score may drop to zero. If the user has other genuine phishing click events, their score will reflect those remaining events. The timing of events matters - newer events may have more impact on the user’s current score than older ones that are already recovering. |
| Q: | Will I be notified when a false positive is corrected? |
| A: | You'll see a record in the event log indicating that a previous event has been marked as a false positive. This helps you understand why a risk score changed and provides transparency about your scoring timeline. |
| Q: | What does it mean when I see a "false positive" entry in my Event Log? |
| A: | A false positive entry shows that one of your previous phishing click events has been corrected because the URL was reclassified as safe. This entry references the original event and explains why your score was adjusted. It's good news - it means you weren't actually at risk from that particular click. |
| Q: | Who decides when a URL is marked as safe? |
| A: | Your organization's security administrators manage URL classifications through the Managed URLs settings in URL Protection. When they add a URL to the managed URL list with the allow action, the system automatically identifies related events as false positives and adjusts scores accordingly. |
| Q: | Does this affect Engage Nudges users have received? |
| A: | This feature specifically corrects the actual phishing component of users' Human Risk Scores. While it ensures accurate scoring, any actions taken based on the event, such as Nudges from Engage or being added or removed from any of the Human Risk Groups profile groups will not be retroactively withdrawn. |
| Q: | Is this the same for everyone in my organization? |
| A: | URL classifications are specific to your organization. If your security team marks a URL as safe, it only affects scores for users in your organization - not users in other organizations who may have clicked the same URL. |
Comments
Please sign in to leave a comment.