Splunk Enterprise Security Certified Admin — Question 26

A set of correlation searches are enabled at a new ES installation, and results are being monitored. One of the correlation searches is generating many notable events which, when evaluated, are determined to be false positives.
What is a solution for this issue?

Answer options

• A. Suppress notable events from that correlation search.
• B. Disable acceleration for the correlation search to reduce storage requirements.
• C. Modify the correlation schedule and sensitivity for your site.
• D. Change the correlation search's default status and severity.

Correct answer: C

Explanation

The correct answer is C because adjusting the correlation schedule and sensitivity can help fine-tune the search, reducing the number of false positives. Options A and D are not effective as they don't address the underlying configuration, and B is irrelevant since disabling acceleration doesn't solve the false positive issue.