Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?
Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?
Adding a SOAR rule to drop irrelevant and duplicated notifications is an effective technique for a SOC team to reduce the number of alerts related to internal security activities that analysts have to triage. SOAR (Security Orchestration, Automation, and Response) solutions are designed to automatically filter out non-relevant or duplicate alerts, thereby reducing the noise level. This allows SOC analysts to focus on more pertinent security incidents, enhancing efficiency and response times.
D. Add a SOAR rule to drop irrelevant and duplicated notifications Implementing a Security Orchestration, Automation, and Response (SOAR) solution can help reduce the number of alerts that SOC analysts have to triage by automatically filtering out irrelevant or duplicated notifications. This can significantly reduce the noise level and allow analysts to focus on investigating and responding to genuine security incidents.
When vulnerability scans or other routine security activities are executed, they can generate a large number of alerts that analysts must then sift through. By scheduling these scans and correlating their timing with a temporary suspension of alerts, the SOC can reduce the number of false positives or irrelevant alerts that analysts have to deal with. SOAR solutions can indeed help reduce the number of alerts by deduplicating and filtering out irrelevant notifications. However, without proper configuration, there is a risk of dropping alerts that might be relevant. This option is effective but not specifically tailored to internal security activities like option B. Therefore, scheduling tasks to disable alerting during known internal security activities (like vulnerability scans) is a targeted approach to reducing the number of alerts during those activities. It's important that this is done carefully to ensure that only the alerts generated by the scans are disabled and that other monitoring continues uninterrupted.
Go with D
you took the test?
It's D do not listen to tcgod unless you want to get this wrong
D. "SOAR tools frequently “bolt on” to a SIEM and trigger after an alert is generated. Instead of sending the alert to a security analyst for manual review, the alert is instead forwarded to a SOAR platform." CompTIA CS0-003 - Lesson 4A
In-house vuln scans can be dropped as irrelevant
The question does not state that the team wants to remove duplicate or low severity vulnerabilities so the only right answer that makes logical sense is answer D. in most comptia questions the answer is almost always in the answer!
I think answer is B since question is about Alerts related to internal security activities > better inform to soc team in advance to disable some use case to avoid alert flooding for soc analysts.
I dont think thats right