Security: Risk-Based Alerting (RBA) - Wed 10/2/24

Community Office Hours
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Security: Risk-Based Alerting (RBA) - Wed 10/2/24

Security: Risk-Based Alerting (RBA) - Wed 10/2/24

1 Comment
Cover Images - Office Hours (11).png
Published on ‎08-23-2024 11:28 AM by Splunk Employee | Updated on ‎10-03-2024 11:10 AM

Register hereThis thread is for the Community Office Hours session on Security: Risk-Based Alerting on Wed, Oct 2, 2024 at 1pm PT / 4pm ET. 

 

This is your opportunity to ask questions related to your specific Splunk Risk-Based Alerting needs, including:

  • Quick guidance set up the foundational and get started with RBA
  • Essential steps of implementing RBA 
  • Best practices for proper creation of risk rules, modifiers, etc.
  • Troubleshooting and optimizing your environment for successful implementation
  • Anything else you’d like to learn!

 

Please submit your questions at registration. You can also head to the #office-hours user Slack channel to ask questions (request access here). 

 

Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.

 

Look forward to connecting!


Labels (1)
0 Karma
loriexi
Splunk Employee
Splunk Employee
‎10-03-2024 11:14 AM
‎10-03-2024 11:14 AM

Q1: Where should a novice begin with RBA?

A:   

  • plan a small use case
  • ensure risk notables are in QA mode
  • create a tag/eventtype for risk rule QA mode
  • play / dig into risk index occasionally

 

Q2: RBA asks for a static risk score, but how do I manage this with a dynamic risk score depending on the query(SPL)?

A: 

  • eval is your best friend
  • | index=edr_alerts NOT severity IN (“critical”,”high”)
  • | eval risk_score = case(
  • severity="medium","50",
  • severity=”low”,”25”,
  • severity=”info”,”10”)

 

Q3: Can you talk about the best practice of using a variable/token for the risk score?

A:

  • separate noisy sub-types of results
  • to find them, try various | stats count by field1, field2, field3 OR patterns tab
  • separating out low signal makes every event more meaningful

 

Live Questions: (refer to the recording)

  • How are you going to determine if a particular machine is attacked and our asset score has not breached the default targeted risk but still that is a true positive?
  • When using RBA in our lab, the notable RBA constantly repeats itself in ES Incident Review. How to deal with that?
  • What's the best way to whitelist known activities or users performing business activities, without suppressing notables?
0 Karma