Interactive Demo — Simulated data only. Back to SOC in a Box
SOC365 Dashboard
Acme Legal Services Ltd Live 18:36:48 UTC

False positive: scheduled backup flagged as data exfiltration

TKT-0002 Normal Awaiting SOC False Positive
Created By
c.williams
Created
2026-06-16 15:28
Last Updated
2026-06-19 11:43
Assigned Analyst
James Okonkwo
Category
False Positive
Messages
9

Conversation

c.williams Customer
2026-06-16 15:28
We believe the following alert may be a false positive and would like confirmation:

False positive: scheduled backup flagged as data exfiltration

This activity is part of our normal business operations. Could you review and adjust the detection rule if appropriate?
James Okonkwo SOC Analyst
2026-06-16 16:33
I've checked with our threat intelligence team. The dark web finding is from a third-party breach, not a direct compromise. We recommend enforcing a password reset for the affected account.
c.williams Customer
2026-06-16 17:52
That's reassuring. Can we schedule a call to discuss the remediation steps?
James Okonkwo SOC Analyst
2026-06-16 20:59
I've updated the DLP policy as requested. The HR shared drive is now excluded from the external transfer monitoring rule, but internal audit logging remains active.
c.williams Customer
2026-06-17 00:56
We've applied the patch on our end. Can you run a verification scan?
James Okonkwo SOC Analyst
2026-06-17 04:23
The alert you referenced (ALR-00023) was generated by our DecoyPulse honeypot system. This has zero false positive rate — the activity is genuine and warrants investigation.
c.williams Customer
2026-06-17 07:02
That's reassuring. Can we schedule a call to discuss the remediation steps?
James Okonkwo SOC Analyst
2026-06-17 08:48
We've applied the policy change you requested. It will take effect within 15 minutes across all monitored endpoints. Please let us know if you see any issues.
c.williams Customer
2026-06-17 12:02
We've applied the patch on our end. Can you run a verification scan?

Reply