When a correlation search in Splunk Enterprise Security (ES) generates excessive notable events due to test accounts, the best approach is to filter out test accounts while keeping legitimate detections active.
✅1. Apply Filtering to Exclude Test Accounts (B)
Modifies the correlation search to exclude known test accounts.
Reduces false positives while keeping real threats visible.
Example:
Update the search to exclude test accounts:
index=auth_logs NOT user IN ("test_user1", "test_user2")
❌Incorrect Answers:
A. Disable the correlation search for test accounts → This removes visibility into all failed logins, including those that may indicate real threats.
C. Lower the search threshold for failed logins → Would increase false positives, making it harder for SOC teams to focus on real attacks.
D. Suppress all notable events temporarily → Suppression hides all alerts, potentially missing real security incidents.
????Additional Resources:
Splunk ES: Managing Correlation Searches
Reducing False Positives in SIEM
