312-39 · Question #29
312-39 Question #29: Real Exam Question with Answer & Explanation
The correct answer is B. Verify false positives. During the Analysis phase, one of the first SOC objectives is to validate that the alert reflects malicious activity rather than benign behavior. “Verify false positives” most directly captures this: analysts review alert evidence, confirm telemetry correctness, validate the trig
Question
Options
- AVerify generated logs
- BVerify false positives
- CScan the enterprise environment and update the scope
- DRoot-cause analysis
Explanation
During the Analysis phase, one of the first SOC objectives is to validate that the alert reflects malicious activity rather than benign behavior. “Verify false positives” most directly captures this: analysts review alert evidence, confirm telemetry correctness, validate the triggering conditions, and look for corroborating artifacts (process lineage, file hashes, network connections, user actions) to decide whether the alert is a true positive. This prevents wasted effort and reduces disruption from unnecessary containment actions. “Verify generated logs” is too vague; log verification is a supporting activity, but the decision point is determining whether the detection is a false positive or a real incident. Scanning the enterprise and updating scope is typically done after initial validation confirms the threat, because scoping consumes resources and should be targeted. Root-cause analysis usually comes later, once you have confirmed the incident and stabilized containment, since RCA requires deeper investigation and often broader evidence collection. In SOC practice, validating false positives early improves response quality and ensures subsequent scoping and containment are justified and proportionate.
Community Discussion
No community discussion yet for this question.