Question 4 - ISACA CISM Practice Exam Dumps [2026 Update]

Q: 4

An organization's automated security monitoring tool generates an excessively large amount of falsq positives. Which of the following is the BEST method to optimize the monitoring process?

Options

Discussion

Luke R. Mar 11, 2026 4:22 pm

Option B

Neha T. Mar 12, 2026 2:00 pm

I'd pick A here. Reporting only critical alerts seems like it would cut down on noise fast, which is what the question asks. I get why B is picked a lot but still think A makes more sense if you're just trying to make monitoring easier right away. Anyone else think so?

DirectConsultant613 Mar 18, 2026 2:38 am

B edges it for me-changing reporting thresholds actually tackles why there are so many false positives instead of just hiding them. A might be tempting but you risk ignoring useful alerts. Could also depend on how the environment is set up, but B seems safest.

Robin N. Mar 12, 2026 9:37 am

B here, changing reporting thresholds is what actually tunes out the false positives.

Alex U. Mar 11, 2026 1:20 am

Its B, had something like this in a mock. Adjusting thresholds is classic for too many false positives.

Nina N. Feb 28, 2026 12:08 pm

I don’t think C fits since it’s more about what gets logged, not directly reducing false positives in the alerting logic. B.

Priya F. Mar 12, 2026 9:37 am

B like the official ISACA guides say. Adjusting thresholds is a common fix for alert overload, saw similar recommendations in practice resources.

Sanjay G. Mar 17, 2026 10:04 am

B imo. Adjusting reporting thresholds helps reduce false positives at the source, which is more effective than just filtering alerts by timeframe like D. Pretty sure C and A don’t really address the root problem.

Anita U. Mar 16, 2026 1:43 am

B or D? I think B is better since changing thresholds directly reduces the number of false positives at the source. D only limits when you see them, doesn’t really fix the spam. Not 100% though, anyone disagree?

Priya D. Mar 3, 2026 9:49 am

Probably D. Saw something close to this in a practice test and D seemed right to me.

Be respectful. No spam.

Correct Answer:

Explanation

An excessive number of false positives indicates that the security monitoring tool's detection rules are too sensitive for the organization's specific operational environment. The most direct and effective method to optimize the process is to tune the system by changing the reporting thresholds or adjusting the logic of the correlation rules. This process, often referred to as "baselining" or "tuning," helps the system better distinguish between normal network/system activity and actual malicious events. Adjusting thresholds reduces alert fatigue and allows security analysts to focus their efforts on investigating genuine threats, thereby improving the overall efficiency and effectiveness of the security monitoring function.

Why Incorrect

A. Report only critical alerts: This is a filtering action that masks the underlying problem of poor tuning and can lead to missing precursor events that are part of a larger attack.

C. Reconfigure log recording: This alters the data being collected, not the analysis of that data. The issue lies with the analysis rules, not necessarily the logs themselves.

D. Monitor incidents in a specific time frame: This creates significant and unacceptable security blind spots, as attackers do not adhere to a schedule.

---

References

1. ISACA

CISM Review Manual

15th Edition. Domain 4: Information Security Incident Management. The manual emphasizes that a key part of the detection and analysis phase of incident management is the continuous tuning of detection systems. It states that security events must be analyzed against predefined thresholds and baselines to determine if they constitute an incident. An excess of false positives is a clear indicator that these thresholds require adjustment. (Specifically

see the sections covering "Incident Detection and Analysis Tools and Techniques").

2. NIST Special Publication 800-137

Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. Section 3.3

"Analyze

" discusses the analysis of security-related information. It notes that organizations define monitoring frequencies and analysis triggers/thresholds. The document states

"Analysis of the data collected may trigger an alert to the appropriate organizational officials for a response... Triggers can be event-driven

query-driven

or based on a specific time." Adjusting these thresholds is the primary mechanism for controlling alert volume. (Page 19

Section 3.3).

3. NIST Special Publication 800-92

Guide to Computer Security Log Management. Section 4.3.2

"Log Analysis Methods and Techniques

" discusses how automated analysis tools use correlation rules and thresholds. It implicitly supports the need for tuning

stating

"Organizations should test their log analysis capabilities to ensure that they can identify events of interest in a timely and accurate manner

" which includes minimizing false positives by adjusting these parameters.

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE