CompTIA Security+ (SY0-601) — Question 26

A security analyst receives an alert from the company's SIEM that anomalous activity is coming from a local source IP address of 192.168.34.26. The Chief
Information Security Officer asks the analyst to block the originating source. Several days later, another employee opens an internal ticket stating that vulnerability scans are no longer being performed properly. The IP address the employee provides is 192.168.34.26. Which of the following describes this type of alert?

Answer options

• A. True negative
• B. True positive
• C. False positive
• D. False negative

Correct answer: C

Explanation

The correct answer is C, False positive, because the SIEM alert indicated a problem that led to blocking the IP, but it turned out to be a legitimate activity impacting vulnerability scans. A true positive would mean the alert was valid and the threat was real, while a true negative would indicate no issues, and a false negative would imply a threat was missed.