An engineer implemented a SOAR workflow to detect and respond to incorrect login attempts and anomalous user behavior.
Since the implementation, the security team has received dozens of false positive alerts and negative feedback from system administrators and privileged users.
Several legitimate users were tagged as a threat and their accounts blocked, or credentials reset because of unexpected login times and incorrectly typed credentials.
How should the workflow be improved to resolve these issues?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The given scenario describes that an engineer has implemented a Security Orchestration, Automation, and Response (SOAR) workflow to detect and respond to incorrect login attempts and anomalous user behavior. However, the implementation has resulted in false positive alerts and negative feedback from system administrators and privileged users.
To improve the SOAR workflow, several options are available, but among the given choices, the best answer would be:
C. Add a confirmation step through which SOAR informs the affected user and asks them to confirm whether they made the attempts.
The reasons for selecting this answer are discussed below:
A. Meeting with privileged users to increase awareness and modifying the rules for threat tags and anomalous behavior alerts may not be an effective solution, as the false positives and negative feedback could be due to the rigidness of the existing rules. Therefore, modifying the rules without identifying the root cause of the problem may not be the best solution.
B. Changing the SOAR configuration flow to remove the automatic remediation that is increasing the false positives and triggering threats may not be an optimal solution as it could reduce the effectiveness of the SOAR workflow.
C. Adding a confirmation step to the SOAR workflow can help in resolving the false positive alerts and negative feedback. With a confirmation step, the SOAR system can notify the affected user about the potential threat, ask them to confirm whether they made the attempt or not, and take the appropriate action based on the user's response.
D. Increasing the incorrect login tries and tuning anomalous user behavior not to affect privileged accounts may not be an appropriate solution since it could result in overlooking some actual security threats.
Therefore, the best solution for improving the SOAR workflow in this scenario would be to add a confirmation step that allows the affected users to confirm or deny the suspicious activity, and based on their response, the SOAR system can take the necessary action. This approach will help reduce false positives and negative feedback and increase the accuracy and effectiveness of the SOAR workflow.