The Hygiene connector prevents false positives from being pushed to detection or blocking by checking observables against trusted allowlists such as MISP Warninglists and other configurable benign-data sources. When an observable matches a known legitimate artifact (for example, common domains like google.com), the connector lowers its score to a very low value and applies the hygiene label to clearly signal qualification and avoid reprocessing. This systematic downgrading and tagging help analysts and automations de-prioritize benign signals and keep downstream controls focused on real threats.
As an OpenCTI connector, it consumes events or scheduled batches, queries external warning lists, and updates observables in place by adjusting their scores and adding the hygiene label for idempotency and auditability. To ensure it can reliably override scores set by other sources when appropriate, it is recommended to configure this connector’s maximum confidence level to 100 or at least very high, granting it the authority needed to reduce scores for allowlisted observables. Configuration supports selecting list sources, throttling, and scope, enabling precise, repeatable hygiene across the knowledge base.
