Splunk Enterprise Security Certified Admin — Question 83

Which of the following actions would not reduce the number of false positives from a correlation search?

Answer options

• A. Reducing the severity.
• B. Removing throttling fields.
• C. Increasing the throttling window.
• D. Increasing threshold sensitivity.

Correct answer: A

Explanation

Reducing the severity does not directly impact the false positive rate, as it simply lowers the importance of the alerts without addressing the underlying criteria triggering them. In contrast, removing throttling fields, increasing the throttling window, and increasing threshold sensitivity can all help fine-tune the alerts and potentially reduce false positives.