An engineer implemented a SOAR workflow to detect and respond to incorrect login attempts and anomalous user behavior. Since the implementation, the security team has received dozens of false positive alerts and negative feedback from system administrators and privileged users. Several legitimate users were tagged as a threat and their accounts blocked, or credentials reset because of unexpected login times and incorrectly typed credentials. How should the workflow be improved to resolve these issues?
A) Meet with privileged users to increase awareness and modify the rules for threat tags and anomalous behavior alerts
B) Change the SOAR configuration flow to remove the automatic remediation that is increasing the false positives and triggering threats
C) Add a confirmation step through which SOAR informs the affected user and asks them to confirm whether they made the attempts
D) Increase incorrect login tries and tune anomalous user behavior not to affect privileged accounts

Question

Quizplus · Accepted Answer

Removing automatic remediation will reduce false positives and prevent legitimate users from being incorrectly tagged as threats, allowing for more accurate threat detection and response.

An Engineer Implemented a SOAR Workflow to Detect and Respond