An attacker attempts to gain unauthorized access to a secure network by repeatedly guessing login...

A false negative occurs when malicious activity happens but the detection logic fails to alert. In this case, an attacker successfully authenticates after multiple failed attempts, yet the SIEM rule does not trigger because the threshold (10 failed attempts) was not met. The incident is real, but the system missed it—this is the definition of a false negative. From a SOC engineering perspective, this highlights a common tuning pitfall: rigid thresholds can be evaded by attackers who adjust timing or stop just short of the trigger condition. To reduce false negatives, SOC teams often implement layered detections: alert on “many failed attempts” (lower thresholds), alert on “failed attempts followed by a success,” incorporate user risk context (unusual source IP/geo), and add account lockout or MFA policies to reduce attack success. A false positive would mean an alert triggered for benign activity, which did not occur here. True positives/true negatives require the SIEM to correctly alert or correctly stay silent, respectively. Since the SIEM stayed silent during an actual compromise, the classification is false negative.