Indicator summary by hash
We're a few months into testing TDR on our systems. A few days ago, we started rollout on our student pc pools (30-40 hosts each). Whenever a software update trips the heuristics on the host sensor, at least 2-4 indicators are created per host but most of them have the same hash. With >800 Indicators that have to be dealt with, the one indicator that might be a real threat flies under the radar and might even be disregarded with all the false-positives. Of course this will only get worse the more clients we add. With a view-by-hash or view-by-threat feature that lists the active hashes of the indicators, number of affected clients, if possible the filename or folder of the indicator and the threat information, identifying real threats could be made much easier. Adding to that, if you identified an identical false-positive indicator that was generated on hundreds of hosts, disregarding these indicators or allowing the hashes all at once would also be much easier. Maybe you could even add an automatic filter by hash to the existing indicator list when you click on a specific hash in this new list.