🔥 3-day streak
CompTIA SecurityX (CAS-005)91 / 120
Question 91 of 120

A SOC analyst is building a SIEM correlation rule to detect credential-stuffing attacks against a public-facing authentication API. The current rule fires an alert whenever ANY of the following occur: more than 50 failed logins from a single IP in 5 minutes, OR failed logins across more than 20 distinct usernames from one IP, OR a login from a geolocation the account has never used. During the first week, the rule generated over 4,000 alerts, of which fewer than 20 were confirmed malicious, overwhelming the team. Management wants higher-fidelity detection without deploying new tooling. Which change to the correlation logic will BEST improve alert fidelity for this specific attack pattern?

Reviewed for accuracy · Report an issueNext question