Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?
A.
Enrich the SIEM-ingested data to include all data required for triage
B.
Schedule a task to disable alerting when vulnerability scans are executing
C.
Filter all alarms in the SIEM with low seventy
D.
Add a SOAR rule to drop irrelevant and duplicated notifications
The question does not state that the team wants to remove duplicate or low severity vulnerabilities so the only right answer that makes logical sense is answer D. in most comptia questions the answer is almost always in the answer!
When vulnerability scans or other routine security activities are executed, they can generate a large number of alerts that analysts must then sift through. By scheduling these scans and correlating their timing with a temporary suspension of alerts, the SOC can reduce the number of false positives or irrelevant alerts that analysts have to deal with.
SOAR solutions can indeed help reduce the number of alerts by deduplicating and filtering out irrelevant notifications. However, without proper configuration, there is a risk of dropping alerts that might be relevant. This option is effective but not specifically tailored to internal security activities like option B.
Therefore, scheduling tasks to disable alerting during known internal security activities (like vulnerability scans) is a targeted approach to reducing the number of alerts during those activities. It's important that this is done carefully to ensure that only the alerts generated by the scans are disabled and that other monitoring continues uninterrupted.
D. Add a SOAR rule to drop irrelevant and duplicated notifications
Implementing a Security Orchestration, Automation, and Response (SOAR) solution can help reduce the number of alerts that SOC analysts have to triage by automatically filtering out irrelevant or duplicated notifications. This can significantly reduce the noise level and allow analysts to focus on investigating and responding to genuine security incidents.
I think answer is B since question is about Alerts related to internal security activities > better inform to soc team in advance to disable some use case to avoid alert flooding for soc analysts.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
captaintoadyo
1 week, 5 days agosection8santa
1 month, 1 week agosection8santa
1 month agoKmelaun
1 month agoj904
1 month, 2 weeks agoNishaw
1 month, 2 weeks agotcgod666
1 month, 3 weeks agoj904
1 month, 3 weeks ago