Skip to content
Log in

True positive / false positive

Definition

A true positive is an alert that correctly identifies malicious activity. A false positive is an alert that fires on legitimate traffic. Alert triage aims to resolve which category each alert belongs to before any investigative resources are committed.

Related terms

Anomaly-based IDS
An intrusion detection system that models normal traffic behaviour and alerts when observed traffic deviates significantly from that baseline. Detects novel attacks...
Five-tuple
The five fields that uniquely identify a network flow: source IP address, source port, destination IP address, destination port, and transport protocol...
Lateral movement
Attacker activity after initial compromise in which the threat actor traverses from one internal system to another, typically to escalate privileges, access...
Proxy log
A record generated by a forward proxy server for each HTTP or HTTPS request made by an internal client. Contains the URL,...
Signature-based IDS
An intrusion detection system that compares network traffic against a database of known attack patterns (signatures). Snort and Suricata are the dominant...

Explained in

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account