Splunk Tech Talks
Deep-dives for technical practitioners.

Operationalize MITRE ATT&CK™ with Risk Based Alerting (RBA)

Splunk Employee
Splunk Employee

View our Tech Talk: Security Edition, Operationalize MITRE ATT&CK™ with Risk Based Alerting (RBA). Risk Based Alerting introduces a layer of abstraction between the detection analytics and the alerting process while aligning with the MITRE ATT&CK™ framework to account for user/system/service specific context when scoring anomalous behavior. 

Tune in to learn about how Splunk Risk Based Alerting allows you:

  • To scale existing analysts to include more data/analytics
  • Increase your true positive rates
  • Improve the effectiveness of your SOC

Tech Talk discussions remain open for two weeks following the live Tech Talk event. Have more questions? Check out our  MITRE ATT&CK conversations in Splunk Answers community for more!

Splunk Employee
Splunk Employee

Wanted to recap the questions from the live Tech Talk.


Q: For this situation described, can you please let us know what log sources need to be ingested into Splunk / Splunk UEBA?
A: Most organizations will start with traditional sources like web proxy, Auth, IDS, AV, firewall, etc. When you align to a CSF like MITRE ATT&CK, data sources like SYSMON, EDR, DNS, etc provide a much greater portion of coverage. In general, if the data source provides investigative worthy context to an analyst, it's fair game.
Q: Can SA-RBA be used without Enterprise Security?
A: Yes.
Q: Are these rules prepackaged into ES ?
A: You can use rules packaged in ES, Splunk Security Essentials, or Enterprise Security Content Updates. There is also a community repo located at https://rbaallday.com.
Q: Where are the correlation searches located ?
A: The searches, macros, dashboards, etc that were used in this demo are all located here:  https://rbaallday.com.  General content that can be modified for usage with RBA can also be found in Enterprise Security, Splunk Security Essentials App, or the Enterprise Security Content Update App.