Complete guide to generating realistic false positive scenarios for detection rule tuning and SOC training.
- Overview
- Quick Start
- False Positive Types
- Configuration Options
- SOC Training Scenarios
- Rule Tuning Workflows
- Integration with Other Features
- Use Cases
- Best Practices
- Troubleshooting
The false positive generation system creates realistic scenarios that trigger security alerts but represent legitimate business activities. This is essential for:
- Detection Rule Tuning: Identifying overly broad or sensitive rules
- SOC Training: Teaching analysts to distinguish between threats and benign activities
- Alert Fatigue Simulation: Testing analyst workflows under realistic conditions
- System Performance Testing: Validating alert processing capabilities
# Generate alerts with 20% false positives
yarn start generate-alerts --count 100 --false-positive-rate 0.2
# Generate high false positive scenario for training
yarn start generate-alerts --count 50 --false-positive-rate 0.6
# Generate themed false positives
yarn start generate-alerts --theme corporate --count 75 --false-positive-rate 0.3# APT campaign with realistic false positive rate
yarn start generate-campaign apt --realistic --false-positive-rate 0.1
# Ransomware with higher false positive rate for training
yarn start generate-campaign ransomware --false-positive-rate 0.4 --count 100Legitimate system administration that triggers security alerts:
Examples:
- Scheduled Tasks: Automated backup scripts running at odd hours
- Software Updates: Legitimate software installation and updates
- System Maintenance: Disk cleanup, registry maintenance, service restarts
- User Management: Account creation, password resets, permission changes
Generated Scenarios:
{
"event.category": "process",
"process.name": "powershell.exe",
"process.command_line": "PowerShell.exe -ExecutionPolicy Bypass -File C:\\Scripts\\BackupScript.ps1",
"user.name": "backup_service",
"host.name": "backup-server-01",
"tags": ["false_positive", "administrative"]
}Legitimate business software with suspicious characteristics:
Examples:
- Development Tools: Compilers, debuggers, scripting environments
- Remote Access: VPN connections, remote desktop, SSH tunnels
- Data Processing: ETL jobs, database maintenance, file synchronization
- Monitoring Tools: System monitoring, network scanning, performance analysis
Normal user activities that appear suspicious:
Examples:
- Travel Patterns: Legitimate travel causing geographic anomalies
- Schedule Changes: Working unusual hours for project deadlines
- New Responsibilities: Accessing new systems due to role changes
- Training Activities: Learning new tools or accessing training environments
Legitimate network traffic that triggers alerts:
Examples:
- Cloud Services: API calls to cloud providers and SaaS applications
- Content Delivery: CDN traffic, software downloads, update checks
- Inter-Office Communication: Site-to-site VPN, branch office connections
- Partner Integrations: B2B data exchanges, vendor portal access
# Low false positive rate (production-like)
--false-positive-rate 0.1 # 10% false positives
# Medium false positive rate (testing)
--false-positive-rate 0.3 # 30% false positives
# High false positive rate (training)
--false-positive-rate 0.6 # 60% false positives# Focus on specific false positive categories
yarn start generate-alerts --count 50 --false-positive-categories administrative,business_apps
# Generate comprehensive false positive scenarios
yarn start generate-alerts --count 100 --false-positive-categories all# After-hours administrative activities
yarn start generate-alerts --count 30 --false-positive-rate 0.4 --time-pattern off_hours
# Business hours false positives
yarn start generate-alerts --count 80 --false-positive-rate 0.2 --time-pattern business_hoursHigh false positive rates to teach basic triage skills:
# Clear distinction between real threats and false positives
yarn start generate-alerts --count 40 --false-positive-rate 0.7 --difficulty beginner
# Focus on common false positive types
yarn start generate-alerts --count 30 --false-positive-categories administrative --theme corporateTraining Objectives:
- Identify obvious false positives
- Understand business context
- Practice initial triage procedures
- Learn escalation criteria
Moderate false positive rates with nuanced scenarios:
# Mixed scenarios requiring deeper analysis
yarn start generate-alerts --count 60 --false-positive-rate 0.4 --difficulty intermediate
# Campaign-based training with false positives
yarn start generate-campaign apt --realistic --false-positive-rate 0.3 --count 50Training Objectives:
- Analyze ambiguous alerts
- Correlate multiple events
- Distinguish sophisticated attacks from complex legitimate activities
- Practice investigation workflows
Low false positive rates simulating production environments:
# Production-like false positive rates
yarn start generate-alerts --count 100 --false-positive-rate 0.1 --difficulty advanced
# Complex campaign scenarios
yarn start generate-campaign insider --realistic --false-positive-rate 0.15 --count 75Training Objectives:
- Handle high-volume alert environments
- Identify subtle false positive patterns
- Optimize investigation efficiency
- Practice advanced correlation techniques
Use false positives to validate and tune detection rules:
# Generate test data for rule tuning
yarn start generate-alerts --count 200 --false-positive-rate 0.25 --rule-testing
# Create baseline for false positive analysis
yarn start generate-logs --count 1000 --false-positive-rate 0.2 --baselineTest different alert thresholds with varying false positive rates:
# High sensitivity testing
yarn start generate-alerts --count 100 --false-positive-rate 0.5 --sensitivity high
# Balanced sensitivity testing
yarn start generate-alerts --count 100 --false-positive-rate 0.3 --sensitivity medium
# Low sensitivity testing
yarn start generate-alerts --count 100 --false-positive-rate 0.1 --sensitivity lowGenerate data to develop alert exceptions and filters:
# Administrative activity analysis
yarn start generate-alerts --count 50 --false-positive-categories administrative --exception-analysis
# Business application profiling
yarn start generate-alerts --count 75 --false-positive-categories business_apps --profilingGenerate false positives that mimic MITRE techniques:
# False positives resembling MITRE techniques
yarn start generate-alerts --count 40 --mitre --false-positive-rate 0.4
# Campaign false positives with MITRE context
yarn start generate-campaign apt --mitre --false-positive-rate 0.3 --count 60Use AI to generate contextual false positive scenarios:
# AI-generated false positive contexts
yarn start generate-alerts --count 50 --ai --false-positive-rate 0.3
# Detailed false positive explanations
yarn start generate-alerts --count 30 --ai --false-positive-categories administrative --explainGenerate false positives across different environments:
# Development environment false positives
yarn start generate-alerts --space development --false-positive-rate 0.5 --count 40
# Production environment false positives
yarn start generate-alerts --space production --false-positive-rate 0.1 --count 100Create comprehensive training scenarios:
# Progressive training curriculum
yarn start generate-alerts --count 30 --false-positive-rate 0.7 --level 1
yarn start generate-alerts --count 50 --false-positive-rate 0.4 --level 2
yarn start generate-alerts --count 75 --false-positive-rate 0.2 --level 3Test detection rules against realistic false positive scenarios:
# Rule effectiveness testing
yarn start generate-alerts --count 200 --false-positive-rate 0.3 --rule-validation
# Coverage analysis
yarn start generate-alerts --count 150 --false-positive-categories all --coverage-testTest SOC workflows under realistic alert loads:
# High-volume false positive testing
yarn start generate-alerts --count 500 --false-positive-rate 0.4 --performance-test
# Alert fatigue simulation
yarn start generate-alerts --count 1000 --false-positive-rate 0.6 --fatigue-testTeach analysts about legitimate business activities:
# Business application training
yarn start generate-alerts --count 40 --false-positive-categories business_apps --business-context
# Administrative process training
yarn start generate-alerts --count 30 --false-positive-categories administrative --process-training- Realistic Scenarios: Base false positives on actual business activities
- Appropriate Timing: Consider business hours and operational schedules
- Contextual Accuracy: Ensure false positives match organizational context
- Progressive Difficulty: Start simple, increase complexity gradually
- Clear Learning Objectives: Define what analysts should learn from each scenario
- Baseline Assessment: Test analyst skills before training
- Structured Progression: Move from obvious to subtle false positives
- Business Context: Provide organizational background and context
- Feedback Loops: Provide immediate feedback on triage decisions
- Performance Metrics: Track improvement in false positive identification
- Systematic Testing: Test rules against comprehensive false positive sets
- Exception Development: Create specific exceptions for known false positives
- Threshold Optimization: Adjust sensitivity based on false positive analysis
- Continuous Monitoring: Regularly update false positive scenarios
- Documentation: Maintain records of false positive patterns and resolutions
Issue: Generated false positives don't match business environment Solutions:
- Use appropriate themes (corporate, technical)
- Customize false positive categories
- Adjust time patterns to match business hours
- Review and update false positive templates
Issue: Analysts struggle to identify false positives Solutions:
- Start with higher false positive rates
- Provide clearer business context
- Use progressive difficulty levels
- Add detailed explanations and feedback
Issue: Difficulty balancing sensitivity and false positive rates Solutions:
- Test multiple false positive rates
- Analyze false positive patterns systematically
- Develop granular exception rules
- Monitor production false positive rates
- Batch Processing: Generate false positives in appropriate batch sizes
- Resource Management: Monitor system resources during generation
- Index Impact: Consider impact on Elasticsearch indices
- Storage Planning: Plan for additional storage requirements
Define organization-specific false positive scenarios:
{
"false_positive_templates": {
"organizational": {
"administrative_tools": ["backup_software.exe", "monitoring_agent.exe"],
"business_applications": ["erp_system.exe", "crm_client.exe"],
"development_tools": ["visual_studio.exe", "git.exe"],
"remote_access": ["vpn_client.exe", "rdp_client.exe"]
}
}
}Automatically adjust false positive rates based on training effectiveness:
# Adaptive training mode
yarn start generate-alerts --count 50 --adaptive-false-positives --training-mode
# Performance-based adjustment
yarn start generate-alerts --count 75 --false-positive-rate adaptive --analyst-performance-trackingReady to improve detection accuracy and analyst skills? Start with yarn start generate-alerts --count 50 --false-positive-rate 0.3 for realistic false positive training scenarios!