An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed logins occur within one minute. However, the control was unable to detect an attack with nine failed logins. Which of the following best represents what occurred?
The control was designed to trigger on ten failed logins within one minute. Since there were only nine failed logins, the alert was not triggered. However, an attack did occur and was not detected because the number of failed logins did not meet the threshold set by the alert rule. This situation is a False Negative because a legitimate attack was not flagged by the security system.
The answer is B) True negative The criteria for triggering the alert was 10 failed logins. Only 9 occurred, so no alert should be generated since the criteria wasn't met. If it's reporting prematurely, then the SIEM rule is failing and generating a false positive. If no attack was detected with 9 failed logins, then the rule is working, in other words, a True Negative, meaning there really wasn't an alert that needed to be reported.
"However, the control was unable to detect an attack with nine failed logins." It said behavior "attack" was a negative. False negative. I hate semantics
The questions is stating that the control was unable to DETECT AN ATTACK with nine failed logon. Breaking down this sentece: There has been an attack and it wasn't detected. So the answer is False negative
The SIEM rule indeed worked as expected by not triggering an alert at 9 failed login attempts. However, the issue lies in the threshold being set too high. Since the threshold was 10 failed logins within one minute, it failed to detect an actual attack when there were 9 failed logins. This situation is indeed a False Negative because the rule missed a legitimate security event.
There has BEEN AN ATTACK. and it failed to alert because it the threshold was too high, therefore it is a False Negative.
true negative makes sense because the control was unable to detect an attack which means it exists but not reported. It can't be false negative because attack exists and it means it does not exist/not reported.
agree 100% !
100 percent True Negative
I don't understand why people choose answer C this is very incorrect the firewall rule not triggering was correct, it has been set to TRIGGER ONLY AFTER 10 failed login attempts the criteria was not met, and the trigger did not happen. The answer True negative is correct.
trust me
doesn't matter if it was supposed to detect 10 fails or 10000 fails. until the condition isn't met the rule in this case is a true negative.
It's a stupid question, but the SIEM falsely reported that an attack did not occur when it in fact did- a false negative.
The failure to detect nine failed logins when the rule is set to trigger at ten means the rule did not identify an attack that was occurring. This is characteristic of a failure in the detection mechanism for legitimate threats. "The failure to detect nine failed logins when the rule is set to trigger at ten means the rule did not identify an attack that was occurring. This is characteristic of a failure in the detection mechanism for legitimate threats." - Source: The Official Comptia CySA+ Study Guide, Topic 6B Explore Vulnerability Validation Concepts
" When a vulnerability scan incorrectly identifies that a vulnerability does not exist. For example, when a vulnerability scan identifies that a web server is using compliant cipher suites when it is not, if the scanner is misconfigured or uses an outdated signature engine during evaluation. False negatives are the most concerning issue as they represent a failure of the scanning tool to report on a legitimate issue. Using multiple scanning tools can mitigate the risk of false negatives because the scan outputs of each tool can be correlated to identify vulnerabilities more confidently." - Heres the Comptia Reference
The SIEM rule worked as expected by not triggering an alert at 9 failed login attempts. However, the issue lies in the threshold being set too high. Since the threshold was 10 failed logins within one minute, it failed to detect an actual attack when there were 9 failed logins. This situation is a False Negative because the rule missed a legitimate security event.
The answer is B) True negative
Therefore, the SIEM rule's behavior in not alerting for nine failed logins is an example of a True negative. It correctly recognized that the conditions specified (ten failed logins within one minute) were not fulfilled, hence no alert was generated.So, the best representation of what occurred in this scenario is B. True negative.
The question implies there is an issue here that wasn't detected. Think of it as a pregnancy test. What do you want to get? Is it a false negative and a baby on your lap, or a true negative and a cold beer?
Threshold for failed logins is 10, the amount of times that actually failed is 9 so this is in fact an accurate reading. making it a true negative
A false negative occurs when a security control or detection mechanism fails to identify a genuine security threat or attack that actually occurred. In this case, the SIEM rule did not trigger an alert for nine failed logins within one minute, even though this activity could potentially indicate a brute-force or password-guessing attack. As a result, the organization missed detecting suspicious activity, leading to a false sense of security and leaving the system vulnerable to compromise.
wrong, their threshold is 10 failed logins so the alert should not have been triggered making this a true negative.
There has been an attack and it wasn't detected. So the answer is False negative
This exam is really made to trick you, but the answer is C. The SIEM failed to alert the organization about an attack which is the definition of a false negative. If there wasn't an attack this would be considered a true negative.