PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER · Question #10
PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER Question #10: Real Exam Question with Answer & Explanation
The correct answer is A. Add principal.user.email != "[email protected]" to the rule condition to exclude the. The most accurate way to reduce false positives is to exclude the known trusted backup automation account by adding a condition such as principal.user.email != "backup- [email protected]". This keeps the rule active for all other accounts, ensuring you still detect suspicious or mal
Question
Options
- AAdd principal.user.email != "[email protected]" to the rule condition to exclude the
- BReplace api.operation with api.service_name = "storage.googleapis.com" to narrow the detection
- CConvert the rule into a multi-event rule that looks for repeated API calls across multiple buckets.
- DAdjust the rule severity to LOW to deprioritize alerts from automation tools.
Explanation
The most accurate way to reduce false positives is to exclude the known trusted backup automation account by adding a condition such as principal.user.email != "backup- [email protected]". This keeps the rule active for all other accounts, ensuring you still detect suspicious or malicious Cloud Storage enumeration while preventing unnecessary alerts from legitimate automation.
Community Discussion
No community discussion yet for this question.