A detection rule firing on legitimate activity. Tuning the rule to exclude known-good patterns reduces false positives.
Every Sigma rule includes a falsepositives field: a list of legitimate behaviours the rule's detection logic might also catch. The rule operator's job is to translate this list into environment-specific exclusions: the IP addresses your CI runner uses, the service-account ARNs your automation uses, the hours your weekly maintenance window runs.
Untuned rules are the largest source of SOC alert fatigue. CloudSigma ships rules with sensible default falsepositives lists; production deployment requires the operator to add the environment's known automation. The integrity-contract guide describes how every embedded rule on a13e.com states its falsepositives upfront.