Does your incident response process account for known false positives when determining incident classification and response criteria?
Explanation
Handling of known false positives is what this examines: whether your incident response process factors them in when classifying incidents and setting response criteria. False positives can consume valuable resources and create alert fatigue if not properly managed. Effective incident response processes should include criteria that help distinguish genuine security incidents from false alarms based on historical data and known system behaviors.
Evidence could include documentation of your incident classification framework that specifically addresses false positive handling, historical data showing false positive rates and adjustments made, or runbooks that include steps for validating alerts before escalation.
Implementation Example
Take known false positives into account when applying incident criteria
ID: DE.AE-08.307
Context
- Function
- DE: DETECT
- Category
- DE.AE: Adverse Event Analysis
- Sub-Category
- Incidents are declared when adverse events meet the defined incident criteria
Related questions
- Has your organization established and maintained a baseline of network operations and expected data flows for users and systems?
- Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
- Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
- Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
- Does your organization utilize log analysis tools to generate actionable reports from log data?
- Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?

