Skip to main content

Classification vs Status

It is important to understand the difference between Classification and Status. Status is related to the work state of an investigation. The options for Status are Active, Closed, or New. Classification is based on the outcome of an incident investigation. To some, classifications can be confusing to understand. Below is a breakdown of when to use each Classification. Incident classifications

True Positive

True Positive should be selected when the incident was deemed to be an actual malicious threat to your environment.

Benign Positive

Benign Positive should be selected when the incident seemed suspicious, but was actually legitimate activity from a user.

False Positive

False Positive should be selected when the incident was mistakenly triggered by incorrect logic in the incident itself or inaccurate data that was used to determine legitimacy of the incident. When selecting this option, you will notice you have the choice to classify between both of these triggers. False positive options

Undetermined

Undetermined is best for incidents where the cause is ultimately unknown or the outcome does not fall in line with either of the classifications above. In the latter case, it is best recommended to include a comment containing everything that was discovered in the process of investigating this incident.
If you have any questions about how to use Classifications, please contact us at [email protected].