Exam SY0-601 topic 1 question 253 discussion

In the incident response process the identification phase is used to recognize whether an event that occurs should be classified as an incident. Therefor false positive tuning would increase the identification time, as A and D would give you more insides, but also more FP and there fore it makes it harder to identify real incidents...I´ll go with "B"

B. Tune monitoring in order to reduce false positive rates. Improving the speed of the identification phase in incident response process involves reducing the amount of data that has to be analyzed to find the incident. Tuning monitoring to reduce false positive rates helps to achieve this goal by reducing the amount of noise in the logs and alerts that have to be analyzed. This means that only the most relevant data is being evaluated, which can significantly reduce the time it takes to identify an incident and move to the next phase of the incident response process. By tuning the monitoring to reduce false positive rates, the systems administrator can focus on only the most important data, which can help to speed up the identification phase and improve overall incident response time.

Reducing false positive rates in monitoring and alerting systems helps to minimize the noise and focus on relevant alerts. By fine-tuning the monitoring rules and thresholds, the security team can filter out non-critical or irrelevant alerts, allowing them to quickly identify genuine security incidents that require immediate attention. This optimization ensures that the incident response team can focus on real threats and avoid wasting time on false alarms, ultimately improving the speed and effectiveness of the identification phase.

Tuning monitoring in order to reduce false positive rates is the BEST approach to improve the speed of the identification phase in the incident response process. By reducing false positives, security analysts can focus on investigating and responding to actual security incidents, rather than spending time on false alarms. This can help speed up the identification phase by allowing analysts to quickly identify and respond to real security incidents. Activating verbose logging in all critical assets, redirecting all events to multiple syslog servers, and increasing the number of sensors present on the environment can also be helpful, but may not have as much of an impact on the speed of the identification phase as tuning monitoring to reduce false positives.

I believe some of you guys have dedicated your lives to input wrong answers to throw everyone off. If you don't have a reference please knock it off.

B, getting accurate report will allow analyst to pinpoint the problem fast. not A, cause there is no point focusing on Critical Asset when point of entry is likely some host. not C, cause having your logs distributed makes it harder to aggregate. not d, more sensor will produce more log for analyst to sift through.

FP alerts cost too much time..

should be A

Verbose logging will give you a better idea of exactly what is going on in your environment.

After reading this article, I believe detection is the key. https://www.sciencedirect.com/topics/computer-science/incident-response-process