Exam SY0-601 topic 1 question 34 discussion

True Positive: A legitimate attack which triggers to produce an alarm. You have a brute force alert, and it triggers. You investigate the alert and find out that somebody was indeed trying to break into one of your systems via brute force methods. False Positive: An event signalling to produce an alarm when no attack has taken place. You investigate another of these brute force alerts and find out that it was just some user who mistyped their password a bunch of times, not a real attack. False Negative: When no alarm is raised when an attack has taken place. Someone was trying to break into your system, but they did so below the threshold of your brute force attack logic. For example, you set your rule to look for ten failed login in a minute, and the attacker did only 9. The attack occurred, but your control was unable to detect it. True Negative: An event when no attack has taken place and no detection is made. No attack occurred, and your rule didn’t make fire.

C. False positive. A false positive is a security alert that is generated when there is no actual threat or security violation, but the security system identifies it as such. In this scenario, the IP address 192.168.34.26 was blocked based on a security alert from the SIEM, but it turns out that the IP address was associated with a legitimate source (vulnerability scans). This results in the false positive, where the security system is blocking a legitimate activity.

well, are these scans legit or is someone doing something they are not supposed to do? maybe this dude was running his own attacks from the corp network to a target on the internet. nowhere in the question it becomes clear if this is a legit scan, so i assume the worse and believe a true positive is what happens here

C is the most appropriate answer.

Why answer is not True Positive there was a anomalous activity cause scanner try to scan systems so SIEM found it that's why for me correct answer is True positive.

A false positive occurs when a security system incorrectly identifies normal or benign activity as malicious or anomalous. In this scenario, the security analyst blocked the source IP address 192.168.34.26 based on the SIEM alert indicating anomalous activity. However, it turns out that this IP address was actually used for vulnerability scans, which are legitimate and expected activities within the organization. Therefore, the initial alert was a false positive because it incorrectly flagged legitimate activity as suspicious or malicious.

True Positive (Option B): An alert or detection correctly identifies a true security incident. True Negative (Option A): The system correctly identifies that no security incident is occurring, and no action is taken. False Positive (Option C): An alert or detection incorrectly identifies normal or legitimate activity as a security incident, leading to unnecessary actions. False Negative (Option D): The system fails to detect a real security incident, leading to a lack of action when action is needed. The Answer is C False Positive

Here's the explanation: The SIEM alert initially flagged the local source IP address (192.168.34.26) as anomalous, leading to the decision to block it. However, the subsequent internal ticket indicates that the IP address is associated with vulnerability scans, and blocking it has caused an issue with the vulnerability scanning process. In this case, the original alert, which led to blocking the IP, was a false positive because the flagged activity was not actually malicious but part of legitimate vulnerability scanning.

It's C. Its the only one that makes sense.

Let me break it down for those that think this is true negative. The SIEM alerted on activity from the IP address as malicious. The IP was blocked, and then the analyst received the ticket that the vulnerability scanner with that IP was not working properly. So it's a POSITIVE because there was a detection and alert about potential malicious activity. But it's a FALSE POSITIVE because this was legitimate activity from a vulnerability scanner and not actually malicious. Definitely not a false or true negative because there was an alert. Not a true positive because the IP is verified to be legitimate activity from the vuln scanner

the security analyst blocked a legitimate IP address for vulnerability scanning, thinking it was malicious activity. The subsequent issue with vulnerability scans not being performed properly indicates that the initial alert was a false positive.

C is the correct answer: as that Ip is used for Scanning purposes, there is no suspicious activity happeing with that IP>

Answer is A

There's no way it is a true negative as there would be no detection in the first place if this were the case, which alone eliminates the two choices with negative in the answer. What makes it a false positive is that it said there was malicious activity but instead there was none.

In this scenario, the SIEM generates an alert indicating anomalous activity from the local source IP address 192.168.34.26. The Chief Information Security Officer (CISO) instructs the security analyst to block the originating source. However, after blocking the IP address, another employee reports that vulnerability scans are no longer being performed properly, and the provided IP address is also 192.168.34.26. A false positive occurs when a security tool, like the SIEM in this case, generates an alert for an event that is not actually malicious or a security threat. In other words, the initial alert was triggered incorrectly, and the activity from the IP address was not actually anomalous or malicious. Blocking the IP address based on the false positive alert caused unintended consequences and disrupted legitimate network activity, leading to the reported issues with vulnerability scans.

True positive: An alert generated by a security system that correctly identifies actual malicious activity or a real security threat. True negative: When a security system correctly identifies that no malicious activity is occurring, and there is no actual security threat. False positive: An alert generated by a security system for an event or activity that is not malicious or threatening, causing unnecessary actions or disruptions. False negative: When a security system fails to detect actual malicious activity or a real security threat, resulting in a missed detection. In this case, the alert from the SIEM was a false positive as it led to blocking a benign internal IP address that was associated with vulnerability scans.

The wording of the question is terrible but considering the initial anomalous activity was in fact a legitimate process (vulnerability scan), this would be classified as a false positive.