<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>rss.livelink.thread@place:occasion</title>
    <link>https://community.splunk.com/t5/Community-Office-Hours/Security-Risk-Based-Alerting-RBA-Wed-10-2-24/ec-p/700932#M121</link>
    <description>&lt;P class=""&gt;&lt;STRONG&gt;Q1: &lt;SPAN&gt;Where should a novice begin with RBA? &lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;A: &amp;nbsp;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;SPAN&gt;plan a small use case&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;ensure risk notables are in &lt;/SPAN&gt;&lt;A href="https://splunk.github.io/rba/searches/risk_guide_searches/#structural-changes" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;QA mode&lt;/SPAN&gt;&lt;/A&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;create a tag/eventtype for risk rule QA mode&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;play / dig into risk index occasionally&lt;/SPAN&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P class=""&gt;&amp;nbsp;&lt;/P&gt;&lt;P class=""&gt;&lt;STRONG&gt;Q2: &lt;SPAN&gt;RBA asks for a static risk score, but how do I manage this with a dynamic risk score depending on the query(SPL)?&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;P class=""&gt;&lt;STRONG&gt;A:&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;SPAN&gt;eval is your best friend&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;| index=edr_alerts NOT severity IN (“critical”,”high”)&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;| eval risk_score = case(&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;severity="medium","50",&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;severity=”low”,”25”,&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;severity=”info”,”10”)&lt;/SPAN&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P class=""&gt;&amp;nbsp;&lt;/P&gt;&lt;P class=""&gt;&lt;STRONG&gt;Q3:&amp;nbsp;&lt;SPAN&gt;Can you talk about the best practice of using a variable/token for the risk score?&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;P class=""&gt;&lt;STRONG&gt;A:&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;SPAN&gt;separate noisy sub-types of results&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;to find them, try various | stats count by field1, field2, field3 OR &lt;/SPAN&gt;&lt;STRONG&gt;patterns&lt;/STRONG&gt;&lt;SPAN&gt; tab&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;separating out low signal makes every event more meaningful&lt;/SPAN&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P class=""&gt;&amp;nbsp;&lt;/P&gt;&lt;P class=""&gt;&lt;STRONG&gt;Live Questions: (refer to the recording)&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;SPAN&gt;How are you going to determine if a particular machine is attacked and our asset score has not breached the default targeted risk but still that is a true positive?&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;When using RBA in our lab, the notable RBA constantly repeats itself in ES Incident Review. How to deal with that?&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;What's the best way to whitelist known activities or users performing business activities, without suppressing notables?&lt;/SPAN&gt;&lt;/LI&gt;&lt;/UL&gt;</description>
    <pubDate>Thu, 03 Oct 2024 18:14:30 GMT</pubDate>
    <dc:creator>loriexi</dc:creator>
    <dc:date>2024-10-03T18:14:30Z</dc:date>
    <item>
      <title>Security: Risk-Based Alerting (RBA) - Wed 10/2/24</title>
      <link>https://community.splunk.com/t5/Community-Office-Hours/Security-Risk-Based-Alerting-RBA-Wed-10-2-24/ec-p/697174#M110</link>
      <description>&lt;P data-unlink="true"&gt;&lt;STRONG&gt;&lt;A href="https://discover.splunk.com/Security-Risk-Based-Alerting.html" target="_self"&gt;Register here&lt;/A&gt;!&amp;nbsp;&lt;/STRONG&gt;This thread is for the Community Office Hours session on &lt;STRONG&gt;Security: Risk-Based Alerting&lt;/STRONG&gt;&amp;nbsp;on&amp;nbsp;&lt;STRONG&gt;Wed, Oct 2, 2024 at 1pm PT / 4pm ET.&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;This is your opportunity to ask questions related to your specific Splunk Risk-Based Alerting needs, including:&lt;/SPAN&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;SPAN&gt;Quick guidance set up the foundational and get started with RBA&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;Essential steps of implementing RBA&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;Best practices for proper creation of risk rules, modifiers, etc.&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;Troubleshooting and optimizing your environment for successful implementation&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;Anything else you’d like to learn!&lt;/SPAN&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Please submit your questions at registration.&lt;/STRONG&gt;&lt;SPAN&gt; You can also head to the &lt;/SPAN&gt;&lt;A href="https://splunk-usergroups.slack.com/archives/C0FRVF350" target="_blank" rel="noopener nofollow noreferrer"&gt;&lt;SPAN&gt;#office-hours&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt; user Slack channel to ask questions (request access &lt;/SPAN&gt;&lt;A href="http://splk.it/slack" target="_blank" rel="noopener nofollow noreferrer"&gt;&lt;SPAN&gt;here&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt;).&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Pre-submitted questions will be prioritized&lt;/STRONG&gt;&lt;SPAN&gt;. After that, we will open the floor up to live Q&amp;amp;A with meeting participants.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Look forward to connecting!&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 03 Oct 2024 18:10:27 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Community-Office-Hours/Security-Risk-Based-Alerting-RBA-Wed-10-2-24/ec-p/697174#M110</guid>
      <dc:creator>loriexi</dc:creator>
      <dc:date>2024-10-03T18:10:27Z</dc:date>
    </item>
    <item>
      <title>Re: Security: Risk-Based Alerting (RBA) - Wed 10/2/24</title>
      <link>https://community.splunk.com/t5/Community-Office-Hours/Security-Risk-Based-Alerting-RBA-Wed-10-2-24/ec-p/700932#M121</link>
      <description>&lt;P class=""&gt;&lt;STRONG&gt;Q1: &lt;SPAN&gt;Where should a novice begin with RBA? &lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;A: &amp;nbsp;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;SPAN&gt;plan a small use case&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;ensure risk notables are in &lt;/SPAN&gt;&lt;A href="https://splunk.github.io/rba/searches/risk_guide_searches/#structural-changes" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;QA mode&lt;/SPAN&gt;&lt;/A&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;create a tag/eventtype for risk rule QA mode&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;play / dig into risk index occasionally&lt;/SPAN&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P class=""&gt;&amp;nbsp;&lt;/P&gt;&lt;P class=""&gt;&lt;STRONG&gt;Q2: &lt;SPAN&gt;RBA asks for a static risk score, but how do I manage this with a dynamic risk score depending on the query(SPL)?&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;P class=""&gt;&lt;STRONG&gt;A:&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;SPAN&gt;eval is your best friend&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;| index=edr_alerts NOT severity IN (“critical”,”high”)&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;| eval risk_score = case(&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;severity="medium","50",&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;severity=”low”,”25”,&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;severity=”info”,”10”)&lt;/SPAN&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P class=""&gt;&amp;nbsp;&lt;/P&gt;&lt;P class=""&gt;&lt;STRONG&gt;Q3:&amp;nbsp;&lt;SPAN&gt;Can you talk about the best practice of using a variable/token for the risk score?&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;P class=""&gt;&lt;STRONG&gt;A:&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;SPAN&gt;separate noisy sub-types of results&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;to find them, try various | stats count by field1, field2, field3 OR &lt;/SPAN&gt;&lt;STRONG&gt;patterns&lt;/STRONG&gt;&lt;SPAN&gt; tab&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;separating out low signal makes every event more meaningful&lt;/SPAN&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P class=""&gt;&amp;nbsp;&lt;/P&gt;&lt;P class=""&gt;&lt;STRONG&gt;Live Questions: (refer to the recording)&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;SPAN&gt;How are you going to determine if a particular machine is attacked and our asset score has not breached the default targeted risk but still that is a true positive?&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;When using RBA in our lab, the notable RBA constantly repeats itself in ES Incident Review. How to deal with that?&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;What's the best way to whitelist known activities or users performing business activities, without suppressing notables?&lt;/SPAN&gt;&lt;/LI&gt;&lt;/UL&gt;</description>
      <pubDate>Thu, 03 Oct 2024 18:14:30 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Community-Office-Hours/Security-Risk-Based-Alerting-RBA-Wed-10-2-24/ec-p/700932#M121</guid>
      <dc:creator>loriexi</dc:creator>
      <dc:date>2024-10-03T18:14:30Z</dc:date>
    </item>
  </channel>
</rss>

