A false positive is an error in some evaluation procedure in which a condition tested for is inaccurately found to have been detected. In spam filters, for example, a false positive is a legitimate message inappropriately marked as UBE –unsolicited bulk email, formerly known as junk mail. Another example is if a SIEM (Security Information and Event Management) rule is to create an alert whenever a user downloads 10 GB of data within one hour and the entire marketing team downloads the same file, all of those alerts would be false-positive alerts.

Most enterprise SOC teams receive thousands, if not more, false-positive alerts daily. The overwhelming number of false positive alerts can very quickly lead to alert fatigue so a detection system that can reduce the number of false-positives is a very valuable addition to any SOC.