Splunk SPLK-5002 Exam - Topic 5 Question 2 Discussion

Actual exam question for Splunk's SPLK-5002 exam

Question #: 2
Topic #: 5

[All SPLK-5002 Questions]

An engineer observes a high volume of false positives generated by a correlation search.

What steps should they take to reduce noise without missing critical detections?

AIncrease the frequency of the correlation search.

BAdd suppression rules and refine thresholds.

CDisable the correlation search temporarily.

DLimit the search to a single index.

Show Suggested Answer

Suggested Answer: B

How to Reduce False Positives in Correlation Searches?

High false positives can overwhelm SOC teams, causing alert fatigue and missed real threats. The best solution is to fine-tune suppression rules and refine thresholds.

How Suppression Rules & Threshold Tuning Help: Suppression Rules: Prevent repeated false positives from low-risk recurring events (e.g., normal system scans). Threshold Refinement: Adjust sensitivity to focus on true threats (e.g., changing a login failure alert from 3 to 10 failed attempts).

Example in Splunk ES: Scenario: A correlation search generates too many alerts for failed logins. Fix: SOC analysts refine detection thresholds:

Suppress alerts if failed logins occur within a short timeframe but are followed by a successful login.

Only trigger an alert if failed logins exceed 10 attempts within 5 minutes.

Why Not the Other Options?

A. Increase the frequency of the correlation search -- Increases search load without reducing false positives. C. Disable the correlation search temporarily -- Leads to blind spots in detection. D. Limit the search to a single index -- May exclude critical security logs from detection.

Reference & Learning Resources

Splunk ES Correlation Search Optimization Guide: https://docs.splunk.com/Documentation/ES Reducing False Positives in SOC Workflows: https://splunkbase.splunk.com Fine-Tuning Security Alerts in Splunk: https://www.splunk.com/en_us/blog/security

by Fairy at Mar 21, 2025, 02:24 PM

Limited Time Offer

25%

Off

Get Premium SPLK-5002 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Ira

4 months ago

Wait, disabling the search? That sounds risky!

upvoted 0 times

...

Remona

4 months ago

I think D could help, but it might miss important data.

upvoted 0 times

...

Wynell

4 months ago

B is the best option, gotta refine those thresholds!

upvoted 0 times

...

Ahmed

4 months ago

A is not the answer, that just increases noise!

upvoted 0 times

...

Josefa

5 months ago

Definitely B, suppression rules are key!

upvoted 0 times

...

Shaun

5 months ago

Suppression rules and refining thresholds sound familiar from practice questions, but I wonder if there's a better approach than just disabling the search temporarily.

upvoted 0 times

...

Dexter

5 months ago

Increasing the frequency of the correlation search seems counterintuitive if we're trying to reduce noise. I feel like that could just make things worse.

upvoted 0 times

...

Alida

5 months ago

I think limiting the search to a single index might help, but it could also risk missing some important detections.

upvoted 0 times

...

Clay

5 months ago

I remember we discussed how adding suppression rules can help reduce false positives, but I'm not entirely sure how to refine the thresholds effectively.

upvoted 0 times

...

Shayne

6 months ago

Limiting the search to a single index could be a good idea, but I'd want to make sure that's not going to cause us to miss anything important. Gotta be careful with that one.

upvoted 0 times

...

Willis

6 months ago

Disabling the correlation search temporarily doesn't seem like the right approach - we need to find a way to make it work better, not just turn it off.

upvoted 0 times

...

Barney

6 months ago

Okay, I think the key here is to find a way to refine the thresholds and add suppression rules. That should help cut down on the false positives without losing the important stuff.

upvoted 0 times

...

Hector

6 months ago

Hmm, this seems like a tricky one. I'd want to carefully consider the trade-offs between reducing noise and missing critical detections.

upvoted 0 times

...

Dorian

12 months ago

I think disabling the correlation search temporarily could also be a good option to consider.

upvoted 0 times

...

Alpha

12 months ago

Option B is the clear winner here. Refining the thresholds is key to getting that signal-to-noise ratio under control.

upvoted 0 times

Jettie

11 months ago

User 2: Agreed, that should help reduce the false positives.

upvoted 0 times

...

Deeanna

11 months ago

User 1: I think we should go with option B and refine the thresholds.

upvoted 0 times

...

Magda

1 year ago

But wouldn't limiting the search to a single index also help?

upvoted 0 times

...

Tammara

1 year ago

I agree with Glendora, that could help reduce false positives.

upvoted 0 times

...

Janey

1 year ago

I'd go with Option D. Limiting the search to a single index seems like a quick and easy way to cut down on the false positives.

upvoted 0 times

Carey

10 months ago

Disabling the correlation search temporarily could be risky, we might miss critical detections.

upvoted 0 times

...

Peter

10 months ago

Increasing the frequency of the correlation search might overwhelm the system with more false positives.

upvoted 0 times

...

Jesusita

10 months ago

I think adding suppression rules and refining thresholds could also be helpful in reducing noise.

upvoted 0 times

...

Geoffrey

10 months ago

Option D sounds like a good idea. It could help reduce the false positives.

upvoted 0 times

...

Jamika

10 months ago

Disabling the correlation search temporarily could be risky, we might miss critical detections.

upvoted 0 times

...

Lashanda

10 months ago

Increasing the frequency of the correlation search might overwhelm the system with more false positives.

upvoted 0 times

...

Alesia

11 months ago

I think adding suppression rules and refining thresholds could also be helpful in reducing noise.

upvoted 0 times

...

Michell

11 months ago

Option D sounds like a good idea. It could help reduce the false positives.

upvoted 0 times

...

Glendora

1 year ago

I think we should add suppression rules and refine thresholds.

upvoted 0 times

...

Elvera

1 year ago

Haha, disabling the correlation search? That's like trying to fix a broken window by boarding it up completely. Option B is the way to go.

upvoted 0 times

Laila

12 months ago

User 3: Increasing the frequency of the correlation search might just overwhelm us with more noise.

upvoted 0 times

...

Jackie

12 months ago

User 2: Definitely, that way we can reduce the false positives without missing important detections.

upvoted 0 times

...

Twana

12 months ago

User 1: I agree, adding suppression rules and refining thresholds is the best approach.

upvoted 0 times

...

Vanda

1 year ago

Option B looks good to me. Adjusting the suppression rules and thresholds should help reduce the noise without missing important detections.

upvoted 0 times

Carlota

11 months ago

User 3: Limiting the search to a single index might also help in reducing noise without missing critical detections.

upvoted 0 times

...

Jose

12 months ago

User 2: I think increasing the frequency of the correlation search could also be a good idea to catch any missed detections.

upvoted 0 times

...

Leonora

1 year ago

User 1: I agree, adjusting suppression rules and thresholds can definitely help with reducing false positives.

upvoted 0 times

...