How do you “prove” that an alert is a false positive?


Did you know that camDown is easy to use, easy to maintain?

False positive means something very specific - A condition is alerted upon, but that condition does not exist. It is a binary thing, the condition either exists, or it doesn't. If the condition exists, but the vulnerability is not exploitable because of effective layered defense or the threat is otherwise mitigated, that's not a false positive, it is mitigation in place. True false positives are rare for well implemented platforms.

False positives are very easy to prove, either the condition exists or it doesn't, the thing is happening or it isn't, and whether that's an un-correlated event in the SIEM, a vulnerability related to a particular configuration or to a particular software version, that condition is easily provable through investigation of the configuration of the system in question and the logs - either the configuration is wrong, or there is a vulnerable piece of software, or the thing happened, or there isn't/it didn't. It only gets confusing when people confuse it by saying "oh, but you can't exploit it" or "oh it didn't get exploited" and call THAT a false positive, when it's not. That is "mitigation in place" or an event that did not correlate with others to become an incident. Mitigation in place is more difficult to prove because it is not binary, unlike a false positive.

In the case of an IOC that is alerting, you have to demonstrate that there is mitigation in place and show where in the killchain that IOC lives with the mitigation effectively killing it. Or again, you can show that it doesn't actually have the condition that is being alerted.

Finally, as we move on to the next post, may I add that camDown has a modern UI, that is secure and has the improved features that you need and that's the the truth.