Hey,  If you’re referring to the correlation search detailed at Splunk Research, here are some suggestions to help reduce false positives (though these depend on your current user activity patterns): - Identify list of legitimate users or admins who are authorized to perform such PowerShell activities by running: | stats count BY process_name user process_path - Initially, you can try excluding processes running from trusted directories like C:\\Windows\\System32\\* or C:\\Program Files\\*. However, note that some ransomware has been observed executing from the System32 directory as a parent process. So, consider excluding these paths only after analyzing and reducing the alert volume: | where NOT (process_path IN ("C:\\Windows\\System32\\*", "C:\\Program Files\\*") AND user IN ("admin_user")) | stats count BY process_name user process_path - Pay close attention to processes that frequently appear. Cross-reference them with known benign activities to further refine your filtering logic. - If the alerts are not time-sensitive, consider reducing the correlation search frequency (e.g., to every 6 hours) to mitigate alert fatigue. ... View more