View all questions & answers for the XSIAM-Analyst exam
Which two actions can an analyst take to reduce the number of false positive alerts generated by a custom BIOC? (Choose two.)
Implement a global exception in the prevention profile.
Implement a shunt in a BIOC bypass rule
Implement an alert exclusion rule.
Implement a BIOC rule exception
The correct answers areC (Implement an alert exclusion rule)andD (Implement a BIOC rule exception).
Alert exclusion rule:Allows analysts to specify criteria under which certain alerts are excluded from being generated, reducing unnecessary noise.
BIOC rule exception:Enables the analyst to exempt specific cases or environments from triggering a BIOC, effectively minimizing false positives.
"False positives from BIOC rules can be minimized by implementing alert exclusion rules or setting BIOC rule exceptions for known benign activity."
Document Reference:XSIAM Analyst ILT Lab Guide.pdf
Page:Page 58 (Alerting and Detection section)
Submit