nerdexam
Google

PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER · Question #113

PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER Question #113: Real Exam Question with Answer & Explanation

The correct answer is B. Modify the rule to include the principal.user.type != "service_account" condition.. The most effective approach is to modify the rule to include the condition principal.user.type != "service_account". This directly uses entity-level context to exclude service accounts from triggering alerts for unusual login times, significantly reducing false positives without

Question

Your Google Security Operations (SecOps) instance is generating alerts for unusual login times from multiple user accounts. Your SOC analysts are reporting a high number of the alerts are false positives involving service accounts used by scheduled automation tasks. You want to refine the detection logic using entity-level context available in Google SecOps. You want to use the most effective approach. What should you do?

Options

  • AUse asset tags to group known automation systems, and exclude them from the alert logic.
  • BModify the rule to include the principal.user.type != "service_account" condition.
  • CUpdate the rule to only alert when the principal.user.email and principal.user.userid fields match
  • DAdd a reference list of all service accounts, and suppress alerts for any matches on the

Explanation

The most effective approach is to modify the rule to include the condition principal.user.type != "service_account". This directly uses entity-level context to exclude service accounts from triggering alerts for unusual login times, significantly reducing false positives without complex maintenance or manual list management.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER Practice