Certified SOC Analyst (CSA v2) — Question 3

An attacker attempts to gain unauthorized access to a secure network by repeatedly guessing login credentials. The SIEM is configured to generate an alert after detecting 10 consecutive failed login attempts within a short timeframe. However, the attacker successfully logs in on the 9th attempt, just before the threshold is reached, bypassing the alert mechanism. Security teams only become aware of the incident after detecting suspicious activity post-login, highlighting a gap in the SIEM’s detection rules. What type of alert classification does this represent?

Answer options

• A. True Positive
• B. False Positive
• C. False Negative
• D. True Negative

Correct answer: C

Explanation

This situation is classified as a False Negative because the SIEM failed to alert the security team despite an unauthorized login occurring. The alert threshold was not reached, allowing the attacker to bypass detection. In contrast, True Positives would indicate correct detection of an issue, and False Positives would suggest alerts for non-issues, neither of which apply here.