Splunk SPLK-3001 Exam - Topic 3 Question 15 Discussion

Actual exam question for Splunk's SPLK-3001 exam

Question #: 15
Topic #: 3

The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

AEdit the search and modify the notable event status field to make the notable events less urgent.

BEdit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.

CEdit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.

DModify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.

Show Suggested Answer

Suggested Answer: B

by Larae at May 06, 2022, 07:50 AM

Limited Time Offer

25%

Off

Get Premium SPLK-3001 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Eden

4 months ago

C doesn't make sense, it would just increase matches, right?

upvoted 0 times

...

Arletta

4 months ago

Wait, can we really just change the threshold like that? Sounds risky.

upvoted 0 times

...

Vanesa

4 months ago

A is just a band-aid solution, we need to fix the root cause.

upvoted 0 times

...

Enola

4 months ago

I disagree, D might be a better approach for urgency.

upvoted 0 times

...

Pura

4 months ago

B seems like the best option to reduce false positives.

upvoted 0 times

...

Roxane

5 months ago

I’m leaning towards option A, but I wonder if just changing the urgency status is enough to really address the false positives we’re seeing.

upvoted 0 times

...

Sabrina

5 months ago

I feel like modifying the urgency table could help, but I can't recall if that directly impacts the sensitivity of the correlation search.

upvoted 0 times

...

Viola

5 months ago

I think option B sounds familiar from our practice questions, where we had to tweak the search parameters to filter out noise.

upvoted 0 times

...

Kattie

5 months ago

I remember we discussed how adjusting the threshold values can help reduce false positives, but I'm not sure if it was about making them more or less common.

upvoted 0 times

...

Mitsue

5 months ago

Okay, I think I've got this. The key is that the data needs to start with "Ticket" and be less than 999 per day. I'll go with option B - that seems to fit the requirements best.

upvoted 0 times

...

Reyes

5 months ago

I've seen this type of question before. I'm pretty confident the answer is C - select the cell and choose the column style or body style option.

upvoted 0 times

...

Jame

5 months ago

Okay, let's think this through. A management review is a type of review, so it's likely focused on evaluating compliance and processes, rather than just aligning technical concepts or establishing requirements. I'm leaning towards option C.

upvoted 0 times

...