Question 154
Main Page
A new SIEM rule generates excessive false positives. What’s the best corrective action?
A. Remove the rule
B. Increase severity level
C. Refine logic and validate against baseline behavior
D. Ignore alerts temporarily
Answer: Refine logic and validate against baseline behavior
Alert logic must be tuned and validated with normal activity baselines to reduce noise and increase effectiveness.