How can the analyst tune the event rule to eliminate these false positives?

An analyst is noticing false positives from a single IP on a specific offense .

How can the analyst tune the event rule to eliminate these false positives?
A . Add the rule test "AND when IP address equals" to the bottom of the test list of the rule.
B . Add the rule test "AND NOT when the offense is indexed by one of the following IP addresses".
C . Add the rule test "AND NOT when IP address equals" to the bottom of the test list of the rule,
D . Add the rule test "AND when IP address equals" to the top of the test list of the rule.

View Answer

Answer: C