To reduce false positives from high-priority network indicators related to on-prem proxies, which exclusion is most appropriate?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Unlock your potential with the Google SecOps Professional Engineer Test. Prepare with flashcards, multiple-choice questions, and detailed explanations. Ace your exam!

Multiple Choice

To reduce false positives from high-priority network indicators related to on-prem proxies, which exclusion is most appropriate?

Explanation:
The key idea is reducing noise from internal on-prem proxy traffic by filtering out signals tied to known asset addresses. Excluding the network.asset.ip field suppresses events that reference IPs belonging to assets in your inventory, which is where on-prem proxies typically show activity. By doing this, you prevent alerts driven by internal IP addresses from triggering, while still allowing signals that involve external destinations or unknown hosts to be investigated. Excluding the user’s IP (principal.ip) would hide who initiated the activity, which can be important for investigations and attribution. Excluding the destination IP (target.ip) or destination domain would remove signals tied to where the traffic is going, potentially masking real threats or other legitimate activity, not specifically addressing the noise from internal proxies.

The key idea is reducing noise from internal on-prem proxy traffic by filtering out signals tied to known asset addresses. Excluding the network.asset.ip field suppresses events that reference IPs belonging to assets in your inventory, which is where on-prem proxies typically show activity. By doing this, you prevent alerts driven by internal IP addresses from triggering, while still allowing signals that involve external destinations or unknown hosts to be investigated.

Excluding the user’s IP (principal.ip) would hide who initiated the activity, which can be important for investigations and attribution. Excluding the destination IP (target.ip) or destination domain would remove signals tied to where the traffic is going, potentially masking real threats or other legitimate activity, not specifically addressing the noise from internal proxies.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy