Answer-first summary for fast verification
Answer: Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria.
The correct answer is C: Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria. This solution helps in improving the signal-to-noise ratio by preventing repeat alerts for known false positives, such as the high volume of legitimate FTP connections in this scenario. It retains visibility of potential anomalies while reducing unwanted noise. Suppression rules are specifically designed for these situations, allowing you to manage findings more effectively without completely disabling detection or creating unnecessary scripts.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
A company has implemented Amazon GuardDuty across all AWS Regions to enhance its security monitoring. Within a specific VPC, they operate an Amazon EC2 instance functioning as an FTP server, which receives a high volume of connections from various locations hourly. GuardDuty interprets this as a brute force attack due to the frequency of connections. Despite the company marking this as a false positive, GuardDuty continues to report the issue. To refine the detection accuracy without reducing the awareness of potential threats, what measure should a security engineer take?
A
Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed.
B
Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving the notifications.
C
Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria.
D
Create an AWS Lambda function that has the appropriate permissions to delete the finding whenever a new occurrence is reported.
No comments yet.