Alert Thresholds — CompTIA CySA+ (CS0-003) Practice Questions
Alert thresholds define the conditions under which a monitoring tool escalates an event to an analyst for review, and setting them correctly is central to effective detection. On the CySA+ exam, candidates are expected to understand the trade-off between sensitivity and specificity: thresholds set too low flood analysts with false positives, while thresholds set too high allow real attacks to go unnoticed. Proper threshold configuration draws on baseline behavioral data, asset criticality, and known attack patterns. Reviewing and adjusting thresholds is a routine analyst responsibility that supports both SIEM tuning and overall detection coverage.
Free questions on alert thresholds
During a post-incident review, the security team identifies that early warning signs of the breach were visible in logs for 3 days before detection. What should be improved?
Free question · medium · full answer + explanation