Detection Engineering I • Room 1

Correlation Searches

A Correlation Search is a scheduled search designed to detect a specific threat pattern (TTP) and generate an Alert or Notable Event.

Effective correlation requires balancing fidelity (accuracy) with recall (catching everything). Tuning out false positives requires intimate knowledge of the environment.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 1

A correlation search for "Multiple Failed Logins" is generating thousands of false positives for a known service account. What is the most robust way to tune this in ES?

AAdd a "NOT user=service_account" directly into the base SPL.

BCreate a Notable Event Suppression for that specific service account to maintain an audit trail and abstract tuning from logic.

CDelete the correlation search entirely.

DTell analysts to just close the alerts manually in Incident Review.