The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?
A.
Edit the search and modify the notable event status field to make the notable events less urgent.
B.
Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.
C.
Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.
D.
Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.
If the number of failed logins is greater than or equal to the threshold value, the search triggers a notable event. To make the search less sensitive, the threshold value can be increased, so that only more frequent failed logins will trigger a notable event. For example, the default threshold value is 4, which means that 4 or more failed logins within a 1-minute window will trigger a notable event. If the threshold value is changed to 10, then only 10 or more failed logins within a 1-minute window will trigger a notable event. References =
Splunk Enterprise Security Admin Manual
Detecting brute force access behavior
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit