Performing CyberOps Using Cisco Security Technologies (CBRCOR) — Question 41

An engineer implemented a SOAR workflow to detect and respond to incorrect login attempts and anomalous user behavior. Since the implementation, the security team has received dozens of false positive alerts and negative feedback from system administrators and privileged users. Several legitimate users were tagged as a threat and their accounts blocked, or credentials reset because of unexpected login times and incorrectly typed credentials. How should the workflow be improved to resolve these issues?

Answer options

• A. Meet with privileged users to increase awareness and modify the rules for threat tags and anomalous behavior alerts
• B. Change the SOAR configuration flow to remove the automatic remediation that is increasing the false positives and triggering threats
• C. Add a confirmation step through which SOAR informs the affected user and asks them to confirm whether they made the attempts
• D. Increase incorrect login tries and tune anomalous user behavior not to affect privileged accounts

Correct answer: C

Explanation

The correct answer is C because adding a confirmation step allows users to validate their login attempts, reducing false positives. Options A and B do not directly address the need for user involvement in verifying their actions. Option D might help, but it could overlook legitimate security concerns by excluding privileged accounts from scrutiny.