False positive: scheduled backup flagged as data exfiltration
TKT-0002
Normal
Awaiting SOC
False Positive
- Created By
- d.walker
- Created
- 2026-07-03 16:55
- Last Updated
- 2026-07-06 11:49
- Assigned Analyst
- James Okonkwo
- Category
- False Positive
- Messages
- 6
Conversation
d.walker
Customer
2026-07-03 16:55
We believe the following alert may be a false positive and would like confirmation:
False positive: scheduled backup flagged as data exfiltration
This activity is part of our normal business operations. Could you review and adjust the detection rule if appropriate?
False positive: scheduled backup flagged as data exfiltration
This activity is part of our normal business operations. Could you review and adjust the detection rule if appropriate?
James Okonkwo
SOC Analyst
2026-07-03 17:29
I've updated the DLP policy as requested. The HR shared drive is now excluded from the external transfer monitoring rule, but internal audit logging remains active.
d.walker
Customer
2026-07-03 21:28
We've applied the patch on our end. Can you run a verification scan?
James Okonkwo
SOC Analyst
2026-07-04 00:13
Good news — our analysis confirms this is a true positive. We've implemented the containment measures and will send a full incident summary within 24 hours.
d.walker
Customer
2026-07-04 02:40
Thanks. Could you also check if any other accounts were affected?
James Okonkwo
SOC Analyst
2026-07-04 05:14
The alert you referenced (ALR-00023) was generated by our DecoyPulse honeypot system. This has zero false positive rate — the activity is genuine and warrants investigation.