DE.AE-08.307

Does your incident response process account for known false positives when determining incident classification and response criteria?

Explanation

This question assesses whether your organization has mechanisms to identify and manage false positive alerts within your security monitoring systems. False positives can consume valuable resources and create alert fatigue if not properly managed. Effective incident response processes should include criteria that help distinguish genuine security incidents from false alarms based on historical data and known system behaviors. Evidence could include documentation of your incident classification framework that specifically addresses false positive handling, historical data showing false positive rates and adjustments made, or runbooks that include steps for validating alerts before escalation.

Implementation Example

Take known false positives into account when applying incident criteria

ID: DE.AE-08.307

Context

Function
DE: DETECT
Category
DE.AE: Adverse Event Analysis
Sub-Category
Incidents are declared when adverse events meet the defined incident criteria

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron