This section describes true and false positives for alerts.

True Positives

True positives are alerts that are correctly labeled as malicious. They include:

  • Fileless scripting attack or malicious events that might involve malware or other threats
  • A file that might have a reputation of KNOWN_MALWARE, SUSPECT_MALWARE, or PUP, or might be NOT_LISTED, for example Zero-day (“0-day”)
  • Observed behavior or TTPs might be suspicious based on what is “normal” for your environment
  • Detection: Malicious activity might be detected but not prevented. Typically, this means that a policy needs to be strengthened.
  • Prevention: Blocking might take place, but only parts of the attack may have been stopped, possibly because of different stages of the attack. Stronger policies are likely needed.

False Positives

False positives are alerts that are incorrectly labeled as malicious or flagged as one of the threat reputations (e.g., KNOWN_MALWARE, SUSPECT_MALWARE, PUP).

False positive can be triggered when:

  • A common application is incorrectly flagged as suspicious behavior or suspicious TTPs are observed
  • Software that touches canary files triggers ransomware alerts
  • Unknown in-house programs are deemed suspicious
  • Programs that might not have been excluded cause conflicts (that is, interoperability or unwanted blocks)