Member-only story
TryHackMe — Incident Response Fundamentals | Cyber Security 101 (THM)
What are Incidents?
Computing devices constantly run interactive and non-interactive processes, each generating numerous events. While many of these events are routine, some can indicate malicious activity. Security solutions collect these events as logs and help identify potentially harmful activities.
When a security solution detects suspicious events, it triggers an alert. The security team then examines these alerts to identify false positives (non-harmful alerts) and true positives (genuine threats). For example:
- False Positive: An alert triggered by high data transfer, later found to be a routine backup.
- True Positive: An alert for a phishing email that was indeed a phishing attempt.
True positive alerts, once confirmed, are called incidents. Incidents are assigned severity levels (low, medium, high, or critical) to help prioritize responses, with critical incidents addressed first.
Answer the questions below:
- What is triggered after an event or group of events point at a harmful activity?
Alert - If a security solution correctly identifies a harmful activity from a set of events, what type of alert is it?
true positive - If a fire alarm is triggered by smoke after cooking, is it a true positive or a false positive?
false positive