Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?
A.
Enrich the SIEM-ingested data to include all data required for triage
B.
Schedule a task to disable alerting when vulnerability scans are executing
C.
Filter all alarms in the SIEM with low seventy
D.
Add a SOAR rule to drop irrelevant and duplicated notifications
D.
"SOAR tools frequently “bolt
on” to a SIEM and trigger after an alert is generated. Instead of sending the alert
to a security analyst for manual review, the alert is instead forwarded to a SOAR
platform." CompTIA CS0-003 - Lesson 4A
B. Schedule a task to disable alerting when vulnerability scans are executing: Disabling alerts during vulnerability scans might cause you to miss important incidents that occur during the scan. It’s also not a good practice to turn off alerts entirely.
The question does not state that the team wants to remove duplicate or low severity vulnerabilities so the only right answer that makes logical sense is answer D. in most comptia questions the answer is almost always in the answer!
When vulnerability scans or other routine security activities are executed, they can generate a large number of alerts that analysts must then sift through. By scheduling these scans and correlating their timing with a temporary suspension of alerts, the SOC can reduce the number of false positives or irrelevant alerts that analysts have to deal with.
SOAR solutions can indeed help reduce the number of alerts by deduplicating and filtering out irrelevant notifications. However, without proper configuration, there is a risk of dropping alerts that might be relevant. This option is effective but not specifically tailored to internal security activities like option B.
Therefore, scheduling tasks to disable alerting during known internal security activities (like vulnerability scans) is a targeted approach to reducing the number of alerts during those activities. It's important that this is done carefully to ensure that only the alerts generated by the scans are disabled and that other monitoring continues uninterrupted.
D. Add a SOAR rule to drop irrelevant and duplicated notifications
Implementing a Security Orchestration, Automation, and Response (SOAR) solution can help reduce the number of alerts that SOC analysts have to triage by automatically filtering out irrelevant or duplicated notifications. This can significantly reduce the noise level and allow analysts to focus on investigating and responding to genuine security incidents.
I think answer is B since question is about Alerts related to internal security activities > better inform to soc team in advance to disable some use case to avoid alert flooding for soc analysts.
This section is not available anymore. Please use the main Exam Page.CS0-003 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
nap61
Highly Voted 9 months, 3 weeks agocy_analyst
Most Recent 7 months agoboog
10 months, 1 week agocaptaintoadyo
1 year agosection8santa
1 year, 1 month agosection8santa
1 year agoKmelaun
1 year agoj904
1 year, 1 month agoNishaw
1 year, 1 month agotcgod666
1 year, 1 month agoj904
1 year, 1 month ago