https://community.checkpoint.com/t5/External-Risk-Management/Saved-Query-Optimization/m-p/270045#M23 <P>Hi!<BR /><BR />We have a saved query for a client for their application. The goal is to generate alerts for the client regarding their application for any mentions/attacks on the deep+dark+surface. The question is, how can we optimize the search so that there should be less noise, currently it generates a lot of false positives.</P><P>Thank you!</P> Mon, 09 Feb 2026 12:02:30 GMT MarcEsc 2026-02-09T12:02:30Z https://community.checkpoint.com/t5/External-Risk-Management/Saved-Query-Optimization/m-p/270045#M23 <P>Hi!<BR /><BR />We have a saved query for a client for their application. The goal is to generate alerts for the client regarding their application for any mentions/attacks on the deep+dark+surface. The question is, how can we optimize the search so that there should be less noise, currently it generates a lot of false positives.</P><P>Thank you!</P> Mon, 09 Feb 2026 12:02:30 GMT https://community.checkpoint.com/t5/External-Risk-Management/Saved-Query-Optimization/m-p/270045#M23 MarcEsc 2026-02-09T12:02:30Z https://community.checkpoint.com/t5/External-Risk-Management/Saved-Query-Optimization/m-p/270437#M24 <P>Hi Marc, thank you for your inquiry.</P> <P>There are various parameters you can apply to reduce false positives and noise for most queries:<BR /><BR />1. Ensure your query includes a <STRONG>textual string</STRONG>, where any 2 words or more are preceded by a <STRONG>+</STRONG> (plus) and are inside quotation marks. For example, if the app name is <EM>Fantastic Mobile</EM>, you should type <STRONG>+"</STRONG>Fantastic Mobile<STRONG>"</STRONG> in the free text field, otherwise you'll get all results for "Fantastic", "Mobile", and their combination, leading to a lot of false positives. To reduce further, you can use different operators to combine with other search terms such as "attack". Click the <STRONG>[i]</STRONG> next to the search field to view a list of available operators.</P> <P><SPAN>2. Filter by <STRONG>Source Category</STRONG>, and select the categories that best fit your query, such as App Store, Forum etc</SPAN><SPAN>.</SPAN></P> <P>3. Filter by <STRONG>Source</STRONG>, if you'd like to limit the search to&nbsp;<STRONG>specific</STRONG> stores, forums etc. For example, type&nbsp;"apk" under Source to view suggested stores. <STRONG>Note:</STRONG>&nbsp;this can considerably limit results.</P> <P>4. Filter by <STRONG>Assets:</STRONG>&nbsp;if the app is a configured&nbsp;<STRONG>asset</STRONG>, search for it. For example, if the asset is an apk name with format com.brand.appname, e.g.,&nbsp;<EM>com.azure.authenticator</EM>, start typing "com<STRONG>.</STRONG>" under Assets, and if it's configured, it displays. Select it. If it's not configured, type it in the search field instead in this format&nbsp;<STRONG>+"</STRONG>com.azure.authenticator<STRONG>"</STRONG></P> <P>5. Limit the <STRONG>timeframe</STRONG> under Created or Published if you'd only like to see items from the Last Week, Last Month etc.&nbsp;<BR /><BR />If this still doesn't reduce false positives and you need further assistance with your query, kindly open a ticket with <STRONG>Check Point Support</STRONG> and select the <STRONG>Threat Intelligence Request</STRONG> to consult an ERM expert. In some cases the service might consume coins, and you will be advised accordingly.<BR /><BR />Hope this helps.&nbsp;<BR /><BR />Noa Peleg<BR />Knowledge &amp; Enablement Lead</P> Wed, 11 Feb 2026 19:39:43 GMT https://community.checkpoint.com/t5/External-Risk-Management/Saved-Query-Optimization/m-p/270437#M24 NoaPeleg 2026-02-11T19:39:43Z