Your SecOps instance generates many alerts related to a C2 IP in a threat feed, but the queries originate from sandbox/test environments. You want to avoid alert fatigue while preserving visibility if the IOC reappears in production telemetry. What should you do?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

Your SecOps instance generates many alerts related to a C2 IP in a threat feed, but the queries originate from sandbox/test environments. You want to avoid alert fatigue while preserving visibility if the IOC reappears in production telemetry. What should you do?

Explanation:
The main idea is to tune detection rules with environment-scoped exceptions so you silence noisy sources from non-production assets while keeping visibility in production. By adding an exception in the detection rule to exclude matches from specific asset groups (like Sandbox or Test environments), you preserve the rule’s ability to detect the IOC in production telemetry, but you stop the alerts from those sandbox assets. This targets the noise exactly where it comes from without blind-suppressing the signal you care about in production. Why this is the best fit: it preserves visibility where it matters—production telemetry—while removing the irrelevant alerts originating in sandbox/test environments. It’s a targeted, maintainable approach: you can adjust or remove the exception later as needed, and you keep the detection logic intact for production. Why the other options aren’t as good: temporarily disabling the rule would eliminate detection entirely, risking missed real threats in production. adding the IOC to a reference list and suppressing alerts for that list could blanket-suppress across environments if not scoped, reducing visibility where it’s still needed. reducing severity globally lowers the alert impact in all contexts, which can cause important production alerts to be overlooked.

The main idea is to tune detection rules with environment-scoped exceptions so you silence noisy sources from non-production assets while keeping visibility in production. By adding an exception in the detection rule to exclude matches from specific asset groups (like Sandbox or Test environments), you preserve the rule’s ability to detect the IOC in production telemetry, but you stop the alerts from those sandbox assets. This targets the noise exactly where it comes from without blind-suppressing the signal you care about in production.

Why this is the best fit: it preserves visibility where it matters—production telemetry—while removing the irrelevant alerts originating in sandbox/test environments. It’s a targeted, maintainable approach: you can adjust or remove the exception later as needed, and you keep the detection logic intact for production.

Why the other options aren’t as good: temporarily disabling the rule would eliminate detection entirely, risking missed real threats in production. adding the IOC to a reference list and suppressing alerts for that list could blanket-suppress across environments if not scoped, reducing visibility where it’s still needed. reducing severity globally lowers the alert impact in all contexts, which can cause important production alerts to be overlooked.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy