False-positive rate tracked + trending down
Demonstrate that the organization actively monitors detection system false-positive rates, maintains historical trending data, and implements tuning or remediation actions that result in measurable improvement or sustained low false-positive rates.
Description
What this control does
This control requires the organization to systematically measure the false-positive rate of security detection systems (SIEM, IDS/IPS, EDR, DLP, WAF, etc.) over time and demonstrate that rates are declining or remain within acceptable thresholds. False positives are alerts that incorrectly flag benign activity as malicious, consuming analyst time and potentially masking real threats. Organizations must establish baseline measurements, define acceptable thresholds, implement tuning processes, and regularly review trending data to confirm detection accuracy is improving or stable.
Control objective
What auditing this proves
Demonstrate that the organization actively monitors detection system false-positive rates, maintains historical trending data, and implements tuning or remediation actions that result in measurable improvement or sustained low false-positive rates.
Associated risks
Risks this control addresses
- Alert fatigue causing security analysts to ignore or deprioritize legitimate alerts, allowing real attacks to succeed undetected
- Excessive time spent investigating false positives reduces capacity for threat hunting, incident response, and proactive security activities
- Security teams disable or reduce sensitivity of detection rules to manage alert volume, creating blind spots exploitable by attackers
- High false-positive rates erode trust in security tools, leading to manual workarounds or shadow IT that bypasses monitoring
- Resource exhaustion from runaway alerting disrupts SIEM, ticketing, or SOAR platforms, degrading overall detection capability
- Inability to differentiate signal from noise delays mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR) for genuine incidents
- Compliance failures when audit trails are polluted with noise, obscuring evidence needed for forensic investigations or regulatory reporting
Testing procedure
How an auditor verifies this control
- Obtain inventory of all security detection systems in scope (SIEM, IDS/IPS, EDR, DLP, WAF, email security, cloud-native detection) including vendor, version, and deployment location.
- Request documented policies or procedures defining how false-positive rates are calculated, measurement intervals, acceptable thresholds, and escalation criteria.
- Review historical false-positive rate reports covering at least the past twelve months, verifying measurements are taken at consistent intervals (weekly, monthly, or quarterly).
- Select a representative sample of 3-5 detection systems spanning different technologies and validate that false-positive rates are calculated using a consistent methodology (e.g., manually reviewed alerts divided by total alerts, or closed-as-false percentage).
- Examine trending graphs or dashboards showing false-positive rates over time and identify whether rates are declining, stable within thresholds, or increasing.
- For systems with elevated or increasing false-positive rates, review documented tuning actions, rule adjustments, whitelist changes, or remediation tickets with timestamps and ownership.
- Interview security operations personnel to confirm they have visibility into false-positive metrics, understand thresholds, and participate in tuning activities.
- Validate that false-positive rate data is reviewed in regular operational meetings (e.g., weekly SOC syncs, monthly security reviews) by examining meeting minutes, action item logs, or dashboard access records.
Where this control is tested