A set of correlation searches are enabled at a new ES installation, and results are being monitored. One of the correlation searches is generating many notable events which, when evaluated, are determined to be false positives.
What is a solution for this issue?
To address the issue of a correlation search generating many false positive notable events, modifying the correlation schedule and sensitivity for your site is the most effective solution. Adjusting the sensitivity can help fine-tune the detection criteria so that it better matches the environment, thereby reducing false positives. Changing the schedule can also help in ensuring that the search runs at appropriate intervals, further reducing unnecessary alerts. Suppressing notable events or changing their status and severity does not address the root cause of the problem, which is the search criteria itself.
C is correct Adjust correlation search sensitivity – False positives: returning results when none are actually there – False negatives: returning no results when something is expected Administering Splunk Enterprise Security page 224
Think answer should be A.
I also think the answer is A
C should be the answer. A is not correct since we cannot suppress a high volume of notable events manually. There will be thousands of them
C. Modify the correlation schedule and sensitivity
C is the correct answer.
By modifying the correlation search's schedule and sensitivity, you can adjust how frequently the search runs and the criteria it uses to generate notable events. This can help reduce the number of false positives by making the search conditions more stringent or reducing the frequency of the search to better match your environment. Suppression and changing status or severity do not address the root cause of false positives, while modifying the schedule and sensitivity directly impacts the detection criteria.