A security analyst is reviewing a SIEM alert that triggered on a single failed login attempt from an internal IP address to a domain controller at 3:00 AM. The user associated with the account is on vacation. Which classification best describes this alert?
Trap 1: False positive
A false positive would be an alert on benign activity; here the activity is suspicious.
Trap 2: False negative
False negative means missing a real threat; this alert fired.
Trap 3: True negative
True negative means no alert on benign activity, not applicable here.
- A
False positive
Why wrong: A false positive would be an alert on benign activity; here the activity is suspicious.
- B
False negative
Why wrong: False negative means missing a real threat; this alert fired.
- C
True negative
Why wrong: True negative means no alert on benign activity, not applicable here.
- D
True positive
The alert correctly identified a real security event.