Examice

Exam SPLK-3001 All QuestionsBrowse all questions from this exam

Question 54

The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated.

How can the correlation search be made less sensitive?

Edit the search and modify the notable event status field to make the notable events less urgent.

Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.

Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.

Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.

Correct Answer: B

To make a correlation search less sensitive, you need to adjust the criteria that trigger alerts so that fewer false positives occur. This can be done by editing the search and modifying the where or xswhere statements to alter the threshold value. By increasing the threshold value, you make it less likely for the conditions to be met, thereby reducing the number of false positives. Making it less common means setting the threshold to a higher number or less frequently occurring condition, which aligns with option B.

Discussion

tjolesOption: B

Answer is B. there is a typo(should be alter)