False Positives — CompTIA CySA+ (CS0-003) Practice Questions
A false positive is an alert that fires on benign activity, causing analysts to spend time investigating events that pose no real threat. The CySA+ exam tests how to distinguish false positives from true positives by correlating multiple data sources, reviewing context, and understanding normal baselines. High false positive rates degrade SOC efficiency and lead to alert fatigue, making tuning a critical operational responsibility. Candidates are expected to know both how to identify false positives and how to reduce their frequency through detection engineering.
Free questions on false positives
A company's security operations center receives an alert about potential data exfiltration, but the alert contains false positives. An analyst must design a more effective alerting strategy. Which approach should be prioritized?
Free question · hard · full answer + explanation
A company's intrusion detection system (IDS) generates approximately 10,000 alerts daily, but the security team only has capacity to investigate 2% of these alerts. Which approach best addresses this issue?
Free question · medium · full answer + explanation
More false positives questions in the full bank
- Which IDS/IPS tuning practice helps reduce false positives? Unlock answer & explanation →
- In SIEM, what is alert tuning primarily designed to achieve? Unlock answer & explanation →
- How should vulnerability scanner results be validated? Unlock answer & explanation →