I published an article on the IBM Security Intelligence blog : Incident Response: 5 Steps to Prevent False Positives. The article describes how false positives look like and how they can interfere with your incident response and threat intelligence processes.

I propose 5 steps to prevent false positives, including

• Prevent false positives from being added to threat intel report
• Notify analysts on likelihood of false positives in threat intel reports
• Report sightings, observables and false positives
• Inform analysts about sightings
• Disable the indicator to streamline cyber threat intel