If default UDM search columns are not relevant, what is an effective way to reduce false positives when a curated high-priority network indicators rule set flags issues due to on-prem proxies?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

If default UDM search columns are not relevant, what is an effective way to reduce false positives when a curated high-priority network indicators rule set flags issues due to on-prem proxies?

Explanation:
The key idea is to stop the rule from evaluating data in the field that’s causing the false positives. In this scenario, on-prem proxies often appear as the network asset’s IP, so the network indicators rule set may flag issues just because the asset IP field contains the proxy address. By configuring a rule exclusion for the network.asset.ip field, you prevent the rule from using that IP in its evaluation. This directly reduces false positives tied to the proxy data while keeping the rest of the rule logic intact. Excluding the user’s IP (principal.ip) would remove signals tied to the user, which isn’t addressing the proxy-related noise. Excluding target.domain or target.ip shifts the focus away from the destination information, which doesn’t tackle the proxy IP appearing in the asset data and thus won’t be as effective at cutting those false alarms.

The key idea is to stop the rule from evaluating data in the field that’s causing the false positives. In this scenario, on-prem proxies often appear as the network asset’s IP, so the network indicators rule set may flag issues just because the asset IP field contains the proxy address. By configuring a rule exclusion for the network.asset.ip field, you prevent the rule from using that IP in its evaluation. This directly reduces false positives tied to the proxy data while keeping the rest of the rule logic intact.

Excluding the user’s IP (principal.ip) would remove signals tied to the user, which isn’t addressing the proxy-related noise. Excluding target.domain or target.ip shifts the focus away from the destination information, which doesn’t tackle the proxy IP appearing in the asset data and thus won’t be as effective at cutting those false alarms.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy