About the session
Join us 2026-03-10T17:00:00Z as we take a practical look at noisy threats and false positives in Netwrix Threat Manager (NTM). In real-world environments, identity threat detection often collides with legacy protocols, incomplete identity context, and accepted operational practices, creating alert noise that can impact confidence. This session focuses on understanding why certain NTM threats generate false positives, how to distinguish signal from noise, and how to tune detections responsibly without undermining security outcomes.
In this session, we’ll break down several commonly noisy NTM threats, explain the detection logic behind them, and highlight the environmental and policy conditions that cause them to fire. You’ll learn when exclusions are appropriate, when a threat should be disabled entirely, and when noise is an indicator of a broader identity hygiene gap. The goal is to help you operate NTM with intent, aligning detection behavior to your organization’s identity maturity and risk tolerance.
During the session, you will learn about:
- Understanding “Noisy” Threats in NTM – Why certain detections are designed to surface best-practice violations and environmental risk, not just active attacker behavior, and how this impacts alert volume.
- Environmental and Policy-Driven Alert Noise – How incomplete identity context, legacy protocols, and accepted operational practices can cause NTM threats such as DCSync, Kerberoasting, LDAP Reconnaissance, and best-practice detections to generate false positives, and how to determine when exclusions, tuning, or disabling a threat is the appropriate response.
- Practical Tuning in NTM – A structured approach to classifying threats, applying exclusions with intent, documenting decisions, and revisiting tuning as identity posture and enforcement maturity improve.