False positive: scheduled backup flagged as data exfiltration
TKT-0002
Normal
Awaiting SOC
False Positive
- Created By
- h.roberts
- Created
- 2026-04-08 07:00
- Last Updated
- 2026-04-11 03:00
- Assigned Analyst
- James Okonkwo
- Category
- False Positive
- Messages
- 7
Conversation
h.roberts
Customer
2026-04-08 07:00
We believe the following alert may be a false positive and would like confirmation:
False positive: scheduled backup flagged as data exfiltration
This activity is part of our normal business operations. Could you review and adjust the detection rule if appropriate?
False positive: scheduled backup flagged as data exfiltration
This activity is part of our normal business operations. Could you review and adjust the detection rule if appropriate?
James Okonkwo
SOC Analyst
2026-04-08 07:35
Thank you for raising this. I've reviewed the alert and can confirm we're investigating. I'll update you within the hour.
h.roberts
Customer
2026-04-08 09:39
The affected user has confirmed they changed their password. Can you verify MFA is active?
James Okonkwo
SOC Analyst
2026-04-08 12:35
The alert you referenced (ALR-00023) was generated by our DecoyPulse honeypot system. This has zero false positive rate — the activity is genuine and warrants investigation.
h.roberts
Customer
2026-04-08 14:46
The affected user has confirmed they changed their password. Can you verify MFA is active?
James Okonkwo
SOC Analyst
2026-04-08 15:35
Thank you for raising this. I've reviewed the alert and can confirm we're investigating. I'll update you within the hour.
h.roberts
Customer
2026-04-08 18:37
We've applied the patch on our end. Can you run a verification scan?