A SIEM correlation rule for impossible travel is creating noise from VPN users. Which refinements should improve fidelity? (Choose two.)
Trap 1: Disable all identity alerts
This removes useful detection coverage.
Trap 2: Treat every VPN login as malicious
VPN use is common and not malicious by itself.
- A
Disable all identity alerts
Why wrong: This removes useful detection coverage.
- B
Require a second signal such as new device, failed MFA, or mailbox rule creation
Combining identity anomalies reduces false positives.
- C
Add trusted VPN egress ranges as named/known locations
Known corporate VPN egress can explain apparent travel.
- D
Treat every VPN login as malicious
Why wrong: VPN use is common and not malicious by itself.