CompTIA CySA+ (CS0-003) — Question 427

An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed logins occur within one minute. However, the control was unable to detect an attack with nine failed logins. Which of the following best represents what occurred?

Answer options

• A. False positive
• B. True negative
• C. False negative
• D. True positive

Correct answer: C

Explanation

The correct answer is C, False negative, because the system failed to detect an actual attack when it should have. The other options do not apply here; a false positive would indicate an alert for an event that did not happen, a true negative means the system correctly identified the absence of an attack, and a true positive would imply the detection of an attack, which did not occur in this case.