Splunk Enterprise Security Certified Admin — Question 59

The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated.
How can the correlation search be made less sensitive?

Answer options

• A. Edit the search and modify the notable event status field to make the notable events less urgent.
• B. Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.
• C. Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.
• D. Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.

Correct answer: B

Explanation

Option B is correct because modifying the threshold value to make it less likely to match will effectively reduce the number of false positives. Option A only changes the urgency of the events but does not address the sensitivity of the correlation search itself. Option C would actually increase sensitivity by making matches more common, while option D alters the urgency but not the underlying matching criteria.