Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Splunk Exam SPLK-5002 Topic 5 Question 2 Discussion

Actual exam question for Splunk's SPLK-5002 exam
Question #: 2
Topic #: 5
[All SPLK-5002 Questions]

An engineer observes a high volume of false positives generated by a correlation search.

What steps should they take to reduce noise without missing critical detections?

Show Suggested Answer Hide Answer
Suggested Answer: B

How to Reduce False Positives in Correlation Searches?

High false positives can overwhelm SOC teams, causing alert fatigue and missed real threats. The best solution is to fine-tune suppression rules and refine thresholds.

How Suppression Rules & Threshold Tuning Help: Suppression Rules: Prevent repeated false positives from low-risk recurring events (e.g., normal system scans). Threshold Refinement: Adjust sensitivity to focus on true threats (e.g., changing a login failure alert from 3 to 10 failed attempts).

Example in Splunk ES: Scenario: A correlation search generates too many alerts for failed logins. Fix: SOC analysts refine detection thresholds:

Suppress alerts if failed logins occur within a short timeframe but are followed by a successful login.

Only trigger an alert if failed logins exceed 10 attempts within 5 minutes.

Why Not the Other Options?

A. Increase the frequency of the correlation search -- Increases search load without reducing false positives. C. Disable the correlation search temporarily -- Leads to blind spots in detection. D. Limit the search to a single index -- May exclude critical security logs from detection.

Reference & Learning Resources

Splunk ES Correlation Search Optimization Guide: https://docs.splunk.com/Documentation/ES Reducing False Positives in SOC Workflows: https://splunkbase.splunk.com Fine-Tuning Security Alerts in Splunk: https://www.splunk.com/en_us/blog/security


by Fairy at Mar 21, 2025, 02:24 PM

Limited Time Offer

25%

Off

Get Premium SPLK-5002 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Dorian
2 months ago
I think disabling the correlation search temporarily could also be a good option to consider.
upvoted 0 times
...
Alpha
2 months ago
Option B is the clear winner here. Refining the thresholds is key to getting that signal-to-noise ratio under control.
upvoted 0 times
Jettie
18 days ago
User 2: Agreed, that should help reduce the false positives.
upvoted 0 times
...
Deeanna
19 days ago
User 1: I think we should go with option B and refine the thresholds.
upvoted 0 times
...
...
Magda
2 months ago
But wouldn't limiting the search to a single index also help?
upvoted 0 times
...
Tammara
2 months ago
I agree with Glendora, that could help reduce false positives.
upvoted 0 times
...
Janey
2 months ago
I'd go with Option D. Limiting the search to a single index seems like a quick and easy way to cut down on the false positives.
upvoted 0 times
Geoffrey
Option D sounds like a good idea. It could help reduce the false positives.
upvoted 0 times
...
Jamika
22 hours ago
Disabling the correlation search temporarily could be risky, we might miss critical detections.
upvoted 0 times
...
Lashanda
5 days ago
Increasing the frequency of the correlation search might overwhelm the system with more false positives.
upvoted 0 times
...
Alesia
26 days ago
I think adding suppression rules and refining thresholds could also be helpful in reducing noise.
upvoted 0 times
...
Michell
27 days ago
Option D sounds like a good idea. It could help reduce the false positives.
upvoted 0 times
...
...
Glendora
2 months ago
I think we should add suppression rules and refine thresholds.
upvoted 0 times
...
Elvera
2 months ago
Haha, disabling the correlation search? That's like trying to fix a broken window by boarding it up completely. Option B is the way to go.
upvoted 0 times
Laila
1 months ago
User 3: Increasing the frequency of the correlation search might just overwhelm us with more noise.
upvoted 0 times
...
Jackie
1 months ago
User 2: Definitely, that way we can reduce the false positives without missing important detections.
upvoted 0 times
...
Twana
2 months ago
User 1: I agree, adding suppression rules and refining thresholds is the best approach.
upvoted 0 times
...
...
Vanda
2 months ago
Option B looks good to me. Adjusting the suppression rules and thresholds should help reduce the noise without missing important detections.
upvoted 0 times
Carlota
1 months ago
User 3: Limiting the search to a single index might also help in reducing noise without missing critical detections.
upvoted 0 times
...
Jose
1 months ago
User 2: I think increasing the frequency of the correlation search could also be a good idea to catch any missed detections.
upvoted 0 times
...
Leonora
2 months ago
User 1: I agree, adjusting suppression rules and thresholds can definitely help with reducing false positives.
upvoted 0 times
...
...

Save Cancel