An incident response team has determined that multiple incidents are resulting from the same user action of copying sensitive data to USB devices.
Which action should the incident response team take to fix this issue so only one incident per action is detected?
A. create separate policies for the different detection methods
B. combine multiple conditions into one compound rule
C. change which ‘Endpoint Destinations’ are monitored
D. change the monitor/ignore filters in the agent configuration