A company's security operations center receives an alert about potential data exfiltration, but the alert contains false positives. An analyst must design a more effective alerting strategy. Which approach should be prioritized?

  1. Manually review all alerts before escalation
  2. Increase alert sensitivity to catch more threats
  3. Disable the alert to eliminate false positives
  4. Correlate the alert with user behavior baselines and context data ✓

Correct answer: Correlate the alert with user behavior baselines and context data

Option D is correct because correlating an alert with user behavior baselines and contextual data (such as normal working hours, typical data volumes, and business role) allows the SOC to distinguish genuine exfiltration from benign activity, directly reducing false positives while preserving true-positive detection. Option A (manually reviewing all alerts) is unsustainable at scale and does not address the root cause of imprecise alerting. Option B (increasing sensitivity) will generate even more alerts and worsen the false-positive rate, creating alert fatigue. Option C (disabling the alert) eliminates the detection capability entirely and leaves the organization blind to real exfiltration activity.

Topic: · ueba, false positives, alert tuning, data exfiltration

Practice CompTIA CySA+ (CS0-003) Questions Free