Splunk Enterprise

Suricata search- How to identify a false positive or false negative?

New Member

Hello all

Very new to splunk

Currently analyzing the old botsv1, and its very interesting so far.

I'm stuck when analyzing suricata logs

First of all, how to identify a false positive or false negative?

Second how to identify from the signatures that identified a ransomware which one did actually detected the ransomware.

Thank you all for you comments.

Thank you

Labels (2)
0 Karma


It sounds like you need to understand the Suricata logs - have you tried the Suricata documentation or website or community pages?

0 Karma

New Member

I did had a look at the output of the logs.

What I still don't understand is that if you have 5 events (alert) with severity=1.

How can any of those 5 be a false positive.


0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...