Which change reduces false positives when a detection rule triggers on Cloud Storage object listing due to automation activity?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

Which change reduces false positives when a detection rule triggers on Cloud Storage object listing due to automation activity?

Explanation:
When tuning a detection rule that flags Cloud Storage object listing, filtering out benign automation activity is the most effective way to reduce false positives. Excluding the automation account by its user email means events coming from that account won't trigger the rule, so legitimate maintenance actions across buckets no longer contribute to alerts. This directly targets the source of noise and keeps the rule focused on unexpected or unauthorized activity from real users. Changing the rule to look at a different field like the service name doesn’t specifically remove the automation’s activity; it might still alert on listings performed by automation or confuse signals across services. Making the rule multi-event could help with grouping related events but doesn’t filter out the automation account itself. Lowering the severity only shifts how alerts are prioritized, not whether the automation activity should trigger an alert in the first place.

When tuning a detection rule that flags Cloud Storage object listing, filtering out benign automation activity is the most effective way to reduce false positives. Excluding the automation account by its user email means events coming from that account won't trigger the rule, so legitimate maintenance actions across buckets no longer contribute to alerts. This directly targets the source of noise and keeps the rule focused on unexpected or unauthorized activity from real users.

Changing the rule to look at a different field like the service name doesn’t specifically remove the automation’s activity; it might still alert on listings performed by automation or confuse signals across services. Making the rule multi-event could help with grouping related events but doesn’t filter out the automation account itself. Lowering the severity only shifts how alerts are prioritized, not whether the automation activity should trigger an alert in the first place.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy