Splunk Observability Cloud Certified Metrics User — Question 5

A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious.
What should they ask their engineer for to make their analysis easier?

Answer options

• A. Create a field extraction for this information.
• B. Add this information to the risk_message.
• C. Create another detection for this information.
• D. Allowlist more events based on this information.

Correct answer: A

Explanation

The correct answer is A because creating a field extraction allows the analyst to easily access and analyze the relevant information from the raw logs. Options B and C do not directly aid in simplifying the analysis of the existing logs, while option D focuses on allowing more events rather than enhancing the analysis of current ones.