Refer to the exhibit. An analyst is troubleshooting the rule shown in the exhibit. It is not generating any incidents, but the filter parameters are generating events on the Analytics tab. What is wrong with the rule conditions? (Choose one answer)

A. The Aggregate attribute is too restrictive.
B. The Destination Host Name value is not fully qualified.
C. The Group By attributes restricts which events are counted.
D. The Event Type refers to a CMDB lookup and should be an Event lookup.

Correct Answer: C

Brave-Dump Clients Votes

A 50%

C 50%

Comments

mahmoud mostafa 2025-10-02 09:00:15

Selected Answers: A

Group by is some how like the filter.
just enhance how to show the result.
while the real restrictive condition is the aggregation.
if the event happens more than 3 times show me ,, else i am not interested

kair ahmid 2025-10-24 19:56:21

Selected Answers: C

I think is C
By grouping on Destination IP and User, the rule only counts events that share the same pair of values. Even though the filters match events in Analytics, they’re split across different groups, so COUNT(Source IP) >= 2 is never reached within a single group, and no incidents are generated.