Difference between : False Positive - False Negative - True Positive - True Negative

• True Positive: A legitimate attack which triggers to produce an alarm.
• You have a brute force alert, and it triggers. You investigate the alert, and find out that somebody was indeed trying to break into one of your systems via brute force methods.

• False Positive: An event signaling to produce an alarm when no attack has taken place.
• You investigate another of these brute force alerts, and find out that it was just some user who mistyped their password a bunch of times, not a real attack.

• False Negative: When no alarm is raised when an attack has taken place.
• There actually was someone trying to break into your system, but they did so below the threshold of your brute force attack logic. For example, you set your rule to look for 10 failed login in a minute, and the attacker did only 9. The attack occurred, but your rule failed to detect it.

• True Negative: An event when no attack has taken place and no detection is made.
• No attack occurred and your rule didn't fire