Register here. This thread is for the Community Office Hours session on Splunk Enterprise Security: RBA on Wed, November 8, 2023 at 1pm PT / 4pm ET.
This is your opportunity to ask questions related to your specific challenge or use case using Splunk Enterprise Security Risk-Based Alerting. Including:
Please submit your questions at registration or as comments below. You can also head to the #office-hours user Slack channel to ask questions (request access here).
Pre-submitted questions will be prioritized. After that, we will go in order of the questions posted below, then will open the floor up to live Q&A with meeting participants. If there’s a quick answer available, we’ll post as a direct reply.
Look forward to connecting!
Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel):
Q1: What’s the best way to manage risk scores?
Q2: Does Splunk have best practices for setting and adjusting risk scores as our implementation improves?
Q3: When working with ES's Assets & Identities with RBA, how would you handle things such as the SYSTEM account, or 'Unknown' from TA's not mapping properly, so that RBA wouldn't trigger on it?
Here are some other questions from the session (check the #office-hours Slack channel for responses):