Interactive Demo — Simulated data only. Back to SOC in a Box
SOC365 Dashboard
Acme Legal Services Ltd Live 19:36:25 UTC

False positive: scheduled backup flagged as data exfiltration

TKT-0002 Normal Awaiting SOC False Positive
Created By
d.walker
Created
2026-07-03 16:55
Last Updated
2026-07-06 11:49
Assigned Analyst
James Okonkwo
Category
False Positive
Messages
6

Conversation

d.walker Customer
2026-07-03 16:55
We believe the following alert may be a false positive and would like confirmation:

False positive: scheduled backup flagged as data exfiltration

This activity is part of our normal business operations. Could you review and adjust the detection rule if appropriate?
James Okonkwo SOC Analyst
2026-07-03 17:29
I've updated the DLP policy as requested. The HR shared drive is now excluded from the external transfer monitoring rule, but internal audit logging remains active.
d.walker Customer
2026-07-03 21:28
We've applied the patch on our end. Can you run a verification scan?
James Okonkwo SOC Analyst
2026-07-04 00:13
Good news — our analysis confirms this is a true positive. We've implemented the containment measures and will send a full incident summary within 24 hours.
d.walker Customer
2026-07-04 02:40
Thanks. Could you also check if any other accounts were affected?
James Okonkwo SOC Analyst
2026-07-04 05:14
The alert you referenced (ALR-00023) was generated by our DecoyPulse honeypot system. This has zero false positive rate — the activity is genuine and warrants investigation.

Reply