False positive: scheduled backup flagged as data exfiltration
TKT-0002
Normal
Awaiting SOC
False Positive
- Created By
- c.williams
- Created
- 2026-06-16 15:28
- Last Updated
- 2026-06-19 11:43
- Assigned Analyst
- James Okonkwo
- Category
- False Positive
- Messages
- 9
Conversation
c.williams
Customer
2026-06-16 15:28
We believe the following alert may be a false positive and would like confirmation:
False positive: scheduled backup flagged as data exfiltration
This activity is part of our normal business operations. Could you review and adjust the detection rule if appropriate?
False positive: scheduled backup flagged as data exfiltration
This activity is part of our normal business operations. Could you review and adjust the detection rule if appropriate?
James Okonkwo
SOC Analyst
2026-06-16 16:33
I've checked with our threat intelligence team. The dark web finding is from a third-party breach, not a direct compromise. We recommend enforcing a password reset for the affected account.
c.williams
Customer
2026-06-16 17:52
That's reassuring. Can we schedule a call to discuss the remediation steps?
James Okonkwo
SOC Analyst
2026-06-16 20:59
I've updated the DLP policy as requested. The HR shared drive is now excluded from the external transfer monitoring rule, but internal audit logging remains active.
c.williams
Customer
2026-06-17 00:56
We've applied the patch on our end. Can you run a verification scan?
James Okonkwo
SOC Analyst
2026-06-17 04:23
The alert you referenced (ALR-00023) was generated by our DecoyPulse honeypot system. This has zero false positive rate — the activity is genuine and warrants investigation.
c.williams
Customer
2026-06-17 07:02
That's reassuring. Can we schedule a call to discuss the remediation steps?
James Okonkwo
SOC Analyst
2026-06-17 08:48
We've applied the policy change you requested. It will take effect within 15 minutes across all monitored endpoints. Please let us know if you see any issues.
c.williams
Customer
2026-06-17 12:02
We've applied the patch on our end. Can you run a verification scan?