4 Ways Your IRP Can Help Reduce False Positives

False positives are to the security analyst what cats in trees are to the fire brigade: wasted time and a distraction from the real emergencies. So imagine if a firefighter had to deal with tens of thousands of cats in trees, the way an analyst does with false positives! There would be a lot of fires burning with no one to put them out.

Enterprise SOCs face a barrage of alerts every year, but the vast majority are false positives, posing no security threat. One of the best ways for a company to increase the effectiveness of their SOC is to reduce false positives, so that analysts have the time to properly investigate the real security incidents.

Not only that, eliminating the person-hours spent on false positives enables companies to get an improved output from their SOC, in turn saving money and opening up other options for investment. With the current high demand for cybersecurity analysts, this can quickly save a company hundreds of thousands, if not millions, of dollars per year.

Because of the substantial potential for improved security and reduced operational costs, companies should be looking for every possible way to reduce false positives, while still being able to catch all legitimate incidents. Incident response platforms (IRPs) provide a unique opportunity to reduce false positives by as much as 90%—but only if they have all the right features in place. The D3 Incident Response Platform, for example, can help reduce the volume of false positives by supporting the following four methods.

Automate Information Gathering to Identify False Positives

The more information you can add to an incident record, the more conclusively you can determine whether or not it’s a false positive. However, there is never enough time to manually gather information for every incident. That’s why automation and orchestration are so important.

D3’s security automation features integrate with IP and file reputation, threat intelligence, and forensic data sources to enrich incidents with valuable context. This means that the information needed to identify false positives is already in place before an analyst even sees the incident record.

Create a “False Positive Feedback Loop” for Your SIEM Rules

Your SIEM is the initial determinant of how many alerts, and thus false positives, get through to your analysts. Your SIEM rules determine what anomalies might be a threat, and push those alerts to your IRP. But your SIEM rules might not reflect the reality that your incident response team is seeing every day. Using D3’s strong data analysis and reporting features, you can see exactly what SIEM rules are creating incidents that turn out to be false positives. With this data, you can regularly recalibrate your rules based on real-world outcomes.

Use Conclusion Data to Inform Decisions Throughout the Chain

Just as with your SIEM, the data from your IRP can be used to create false positive feedback loops for the rest of your technology infrastructure. Think of it this way: your IRP is the only system that records the conclusion of an incident, so the IRP knows what was a false positive, and what wasn’t. D3 retains this data so you can use it to inform configurations and parameters in systems, in turn maturing your entire systems landscape from largely reactive to proactive.

Leverage Multi-Factor Analysis to Create an Automated Decision Tree

As described in the previous points, there is a wealth of data that can be leveraged to determine false positives. The challenge is to effectively gather and utilize that data. With the multi-factor analysis capabilities in the latest version of D3, you can use data mining techniques to isolate the factors in your historical data that are most strongly correlated with false positives. Different factors can be scored and weighted appropriately, and the analysis can be translated into an automated decision tree, which determines what incidents get investigated further.

For example, the decision tree will create a confidence rating that the incident is a false positive based on the criteria you’ve chosen. If the confidence level is above a certain percentage, a few things can happen:

  • Automation can be set up to manage the incident, because of the high probability that it is a false positive
  • It can be bumped to the bottom of the analyst’s queue, so they can focus on threats that are more likely to be real incidents
  • It can be steered to a low-level analyst, freeing up more senior team members


The potential value is too great to settle for an Incident Response Platform that cannot eliminate the majority of false positives. Even security automation platforms that claim to reduce false positives often do not retain the detailed data fields necessary to improve over time. It is only through a centralized combination of features like automation, orchestration, case management, data analytics, and multi-factor analysis can you truly optimize your incident response program. That’s why we’ve designed D3 to be a truly comprehensive solution, with depth and breadth of functionality that no other platform on the market can match.

Click on the button below to schedule a demo today to learn more about D3’s Incident Response Platform.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.