Which change reduces false positives when a detection rule triggers on Cloud Storage enumeration by automation?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

Which change reduces false positives when a detection rule triggers on Cloud Storage enumeration by automation?

Explanation:
Excluding a known automation account from the alert is the most effective way to cut false positives in this scenario. When automation performs Cloud Storage enumeration, the activity is legitimate for that account, and many detection rules can flag it as suspicious simply because it looks like inventory or enumeration activity. By adding a filter that excludes the automation account’s principal (for example, its service account email), you prevent those routine, authorized calls from triggering the alert, keeping the rule focused on genuinely anomalous or unauthorized activity from non-approved principals. The other approaches don’t specifically address the root cause of the noise. Using a broader service name filter doesn’t distinguish between automated and human activity. Converting to a multi-event rule changes how events are correlated but doesn’t filter out the benign automated calls. Lowering the severity doesn’t reduce the number of alerts, it only changes how they’re prioritized.

Excluding a known automation account from the alert is the most effective way to cut false positives in this scenario. When automation performs Cloud Storage enumeration, the activity is legitimate for that account, and many detection rules can flag it as suspicious simply because it looks like inventory or enumeration activity. By adding a filter that excludes the automation account’s principal (for example, its service account email), you prevent those routine, authorized calls from triggering the alert, keeping the rule focused on genuinely anomalous or unauthorized activity from non-approved principals.

The other approaches don’t specifically address the root cause of the noise. Using a broader service name filter doesn’t distinguish between automated and human activity. Converting to a multi-event rule changes how events are correlated but doesn’t filter out the benign automated calls. Lowering the severity doesn’t reduce the number of alerts, it only changes how they’re prioritized.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy