Skip to main content
After investigating and responding to an incident, the final step is classification. Proper classification improves detection accuracy over time and provides clear reporting.

Classification Types

ClassificationWhen to UseExample
True PositiveConfirmed real security threat that required responseActual malware execution, credential theft, lateral movement
Benign PositiveReal activity that triggered correctly but was expected or authorizedScheduled penetration test, approved admin tool usage
False PositiveIncorrectly triggered due to flawed detection logic or bad dataLegitimate software flagged as malicious, misconfigured rule
InformationalLow-risk activity documented for awarenessFailed login attempt from known location, routine scan

How to Classify an Incident

1

Open the incident in the Workbench

Navigate to the incident from the Command Dashboard.
2

Click Classify

In the incident detail view, click the Classify button.
3

Select the classification

Choose the appropriate classification from the dropdown.
4

Add comments (recommended)

Document your reasoning — this helps with future tuning and audit trails.
5

Close the incident

Click Close Incident. The incident moves to closed status and appears in your reporting metrics.
If you’re seeing a pattern of False Positives from a specific detection rule, consider tuning the rule in the Content Management System (XDR + SIEM module required).
For the full reference, see Incident Classifications.