All Topics

Top

All Topics

Hi, When using jdk8+ javaagent version 22.12.0,  I see below error $ java -javaagent:/cache/javaagent.jar -version Unable to locate appagent version to use - Java agent disabled openjdk version ... See more...
Hi, When using jdk8+ javaagent version 22.12.0,  I see below error $ java -javaagent:/cache/javaagent.jar -version Unable to locate appagent version to use - Java agent disabled openjdk version "1.8.0_382" OpenJDK Runtime Environment (Zulu 8.72.0.17-CA-linux64) (build 1.8.0_382-b05) OpenJDK 64-Bit Server VM (Zulu 8.72.0.17-CA-linux64) (build 25.382-b05, mixed mode)   What is the compatible javaagent version for above Java version.
Example logs 2022-08-19 08:10:53.0593|**Starting** 2022-08-19 08:10:53.5905|fff 2022-08-19 08:10:53.6061|dd 2022-08-19 08:10:53.6218|Shutting down 2022-08-19 08:10:53.6218|**Starting** 2022-08-... See more...
Example logs 2022-08-19 08:10:53.0593|**Starting** 2022-08-19 08:10:53.5905|fff 2022-08-19 08:10:53.6061|dd 2022-08-19 08:10:53.6218|Shutting down 2022-08-19 08:10:53.6218|**Starting** 2022-08-19 08:10:53.6374|fffff 2022-08-19 08:10:53.6686|ddd 2022-08-19 08:10:53.6843|**Starting** 2022-08-19 08:10:54.1530|aa 2022-08-19 08:10:54.1530|vv   From this I have created three columns Devicenumber,  _time ,Description If ** Starting ** message has followed by "Shutting down" mean, it should classify as good and if Starting message has not Shutting down mean, it should classify as bad.   From the above example, there should be 2 bad and one good.   If there is only one row which has only Starting and no shutting down recorded, in that case also , it should classify as bad
I'm trying to run a lookup against a list of values in an array.  I have a CSV which look as follows: id x y 123 Data Data2 321 Data Data2 456 Data3 Data3   The field from t... See more...
I'm trying to run a lookup against a list of values in an array.  I have a CSV which look as follows: id x y 123 Data Data2 321 Data Data2 456 Data3 Data3   The field from the search is is an array which looks as follows: ["123", "321", 456"] I want to map the lookup value.  Do I need to iterate over the field or can I use a lookup or is the best option?
I have a working query that uses Transaction to find the Starting / Ending log event.  I am trying to make some changes but Transaction is not working as I expected. In my current working example I... See more...
I have a working query that uses Transaction to find the Starting / Ending log event.  I am trying to make some changes but Transaction is not working as I expected. In my current working example I am looking for a 'job name' and then the starting and ending log event. In my current code I am using one query: index=anIndex sourcetype=aSourcetype aJobName AND ("START of script" OR "COMPLETED OK"). This works fine when there are no issues but now if a job fails there will be multiple "START of script" and only one 'COMPLETED OK' event. So, I tried reworking my query to be as follows to only get the most recent of either the start / completed log event. index=anIndex sourcetype=aSourcetype aJobName AND "START of script" | head 1 | append [ index=anIndex sourcetype=aSourcetype aJobName AND "COMPLETED OK" | head 1 ] But when I get to the part of creating a transaction the transaction only has the Starting log event ? | rex "(?<event_name>(START of script)|(COMPLETED OK))" | eval event_name=CASE(event_name="START of script", "script_start", event_name="COMPLETED OK", "script_complete") | eval event_time=strftime(_time, "%Y-%m-%d %H:%M:%S") | eval {event_name}_time=_time | rex field=_raw "Batch::(?<batchJobName>[^\s]*)" | transaction keeporphans=true host batchJobName startswith=(event_name="script_start") endswith=(event_name="script_complete")   Is the use of | append [...] the cause ? If append cannot be used for transaction what other way can I get the data Im looking for ?
Hi , How we can fix this issue in ES SH "Health Check: msg="A script exited abnormally with exit status: 1" input=".$SPLUNK_HOME/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install... See more...
Hi , How we can fix this issue in ES SH "Health Check: msg="A script exited abnormally with exit status: 1" input=".$SPLUNK_HOME/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py" stanza="default" Thanks..
I'm having some trouble coming up with the SPL for the following situation: I have some series of events with a timestamp. These events have a field extracted with a value of either "YES" or "NO". W... See more...
I'm having some trouble coming up with the SPL for the following situation: I have some series of events with a timestamp. These events have a field extracted with a value of either "YES" or "NO". When sorted by _time we end up with a list like the following: _time Result time1 YES time2 NO time3 NO time4 YES   I'd like to count the duration between the "NO" values and the next "YES" value. So in this case we'd have a duration equal to time4 - time2.    index=* sourcetype=*mantec* "Computer name" = raspberry_pi06 "Risk name" = WS.Reputation.1 | sort _time | eval removed = if('Actual action' == "Quarantined", "YES", "NO") | streamstats reset_before="("removed==\"YES\"")" last(_time) as lastTime first(_time) as firstTime count BY removed | eval duration = round((lastTime - firstTime)/60,0) | table removed duration count _time     I've tried to lean on streamstats but the result is resetting the count at the last "NO" and doesn't count the time of the next "YES". We end up with a duration equal to time3 - time2. Also in the case of a single "NO" followed by a "YES" we get a duration of 0 which is also incorrect. I feel like I'm missing something extremely obvious.
Hi Folks, I am trying to figure out how to compare a single field based off another field called timestamp. I pull in data into Splunk via a JSON file that looks like the following: {"table": "Rou... See more...
Hi Folks, I am trying to figure out how to compare a single field based off another field called timestamp. I pull in data into Splunk via a JSON file that looks like the following: {"table": "Route", "timestamp": "2023-11-07T12:25:43.208903", "dst": "10.240.0.0/30"} {"table": "Route", "timestamp": "2023-11-07T12:25:43.208903", "dst": "10.241.0.0/30"} {"table": "Route", "timestamp": "2023-11-07T12:25:43.208903", "dst": "10.242.0.0/30"} {"table": "Route", "timestamp": "2023-11-10T13:12:17.529455", "dst": "10.240.0.0/30"} {"table": "Route", "timestamp": "2023-11-10T13:12:17.529455", "dst": "10.241.0.0/31"} {"table": "Route", "timestamp": "2023-11-10T13:12:17.529455", "dst": "10.245.0.0/30"} There will be tens or hundreds of unique dst values, all with the same timestamp value. What I'd like to be able to do is compare all dst values based off the timestamp value and compare that against a different set of dst values based off a different timestamp value. So far, I've been able to do an appendcols + simple eval function to compare stats values from one timestamp to another: index=<index> host=<host> sourcetype=_json timestamp=2023-11-07T12:25:43.208903 | stats values(dst) as old_prefix | appendcols [searchindex=<index> host=<host> sourcetype=_json timestamp=2023-11-10T13:12:17.529455 | stats values(dst) as new_prefix] | eval result=if(old_prefix=new_prefix, "pass","fail") | table old_prefix new_prefix result  And these are the results I get: old_prefix new_prefix result 10.240.0.0/30 10.241.0.0/30 10.242.0.0/30 10.240.0.0/30 10.241.0.0/31 10.245.0.0/30 fail   But what I'd really want to see is something along the lines of this: old_prefix new_prefix result present_in_old_table present_in_new_table 10.240.0.0/30 10.240.0.0/30 pass     10.241.0.0/30   fail 10.241.0.0/30     10.241.0.0/31 fail   10.241.0.0/31 10.242.0.0/30   fail 10.242.0.0/30     10.245.0.0/30 fail    10.245.0.0/30   Or this: old_prefix new_prefix result present_in_old_table present_in_new_table 10.240.0.0/30 10.241.0.0/30 10.242.0.0/30 10.240.0.0/30 10.241.0.0/31 10.245.0.0/30 fail 10.241.0.0/30 10.242.0.0/30 10.241.0.0/31 10.245.0.0/30   Is this something that could be reasonably done inside splunk? Please let me know if you have any further questions from me.
Hi i am trying to build a dashboard and I require a query to execute below some searches below:  1. REPORT FALSE POSITIVE PER TOTAL  2. REPORT MONTHLY SPLUNK ALERT HIGH - MEDIUM - LOW Can anyon... See more...
Hi i am trying to build a dashboard and I require a query to execute below some searches below:  1. REPORT FALSE POSITIVE PER TOTAL  2. REPORT MONTHLY SPLUNK ALERT HIGH - MEDIUM - LOW Can anyone help me in building the same?
Hi, I need some help in creating a table from the below json events. Can someone please help me on that? The table columns be like 'Name' and 'Count' and Name should hold "cruice", "crpice" etc. an... See more...
Hi, I need some help in creating a table from the below json events. Can someone please help me on that? The table columns be like 'Name' and 'Count' and Name should hold "cruice", "crpice" etc. and Count should have the corresponding values. Any help would be appreciated. Thanks   11/7/23 9:04:23.616 PM   "Year": { host = iapp6373.howard.ms.com source = /tmp/usage_snapshot.json sourcetype = tsproid_prod.db2ts_log_generator:app   11/7/23 9:04:23.616 PM   "Top30RequesterInOneYear": { host = iapp6373.howard.ms.com source = /tmp/usage_snapshot.json sourcetype = tsproid_prod.db2ts_log_generator:app   11/7/23 9:04:23.616 PM   "cruice": 2289449, host = iapp6373.howard.ms.com source = /tmp/usage_snapshot.json sourcetype = tsproid_prod.db2ts_log_generator:app   11/7/23 9:04:23.616 PM   "crpice": 1465846, host = iapp6373.howard.ms.com source = /tmp/usage_snapshot.json sourcetype = tsproid_prod.db2ts_log_generator:app   11/7/23 9:04:23.616 PM   "zathena": 1017289, host = iapp6373.howard.ms.com source = /tmp/usage_snapshot.json sourcetype = tsproid_prod.db2ts_log_generator:app   11/7/23 9:04:23.616 PM   "qrecon": 864252, host = iapp6373.howard.ms.com source = /tmp/usage_snapshot.json sourcetype = tsproid_prod.db2ts_log_generator:app                                                                    
i dont know why splunk does not distribute clear instructions or tools to install and configure linux properly. redhat 9.x does not have init.d so you need to set boot-start with managed =1, but the... See more...
i dont know why splunk does not distribute clear instructions or tools to install and configure linux properly. redhat 9.x does not have init.d so you need to set boot-start with managed =1, but the service even if installed needs also systemctl ENABLE SplunkForwarder.service. In redhat 8 this is not the case.   the latest forwarder 9.1.1 also wont setup properly if you don't use user-seed.conf    I came out with this which does it job somehow, would be nice if someone would add his ideas to make it better.   (im running splunk as root for testing perpouses)         #!/bin/bash SPLUNK_FILE="splunkforwarder-9.1.1-64e843ea36b1.x86_64.rpm" rpm -ivh splunkforwarder-9.1.1-64e843ea36b1.x86_64.rpm ##change permission to root chown -R root:root /opt/splunkforwarder ##create user-seed.conf file that Splunk accepts to set admin credentials without user interaction sudo touch /opt/splunkforwarder/etc/system/local/user-seed.conf ##pass Splunk admin credentials into file sudo cat <<EOF > /opt/splunkforwarder/etc/system/local/user-seed.conf [user_info] USERNAME = admin PASSWORD = changeme EOF ##configure splunk /opt/splunkforwarder/bin/splunk set deploy-poll 192.168.68.129:8089 --accept-license --answer-yes --auto-ports --no-prompt /opt/splunkforwarder/bin/splunk enable boot-start -systemd-managed 0 /opt/splunkforwarder/bin/splunk start --no-prompt --answer-yes ##configure splunk Redhat 9.x #/opt/splunkforwarder/bin/splunk set deploy-poll 192.168.68.129:8089 --accept-license --answer-yes --auto-ports --no-prompt #/opt/splunkforwarder/bin/splunk enable boot-start -systemd-managed 1 #systemctl enable SplunkForwarder.service #systemctl start SplunkForwarder.service      
Hi!   I have a fallowing table: SESSION_ID SUBMITTED_FROM STAGE 1   submit 1 startPage someStage1 2   submit 2 page1 someStage1 2 page2 someStage2 How could ... See more...
Hi!   I have a fallowing table: SESSION_ID SUBMITTED_FROM STAGE 1   submit 1 startPage someStage1 2   submit 2 page1 someStage1 2 page2 someStage2 How could I count the number of SESSION_IDs that has SUBMITTED_FROM=startPage and STAGE=submit? So looking at the above table the outcome of that logic should be 2 SESSION_IDs
Hi All,   I have this query that runs  | tstats latest(_time) as LatestEvent where index=* by index, host | eval LatestLog=strftime(LatestEvent,"%a %m/%d/%Y %H:%M:%S") | eval duration = now() - ... See more...
Hi All,   I have this query that runs  | tstats latest(_time) as LatestEvent where index=* by index, host | eval LatestLog=strftime(LatestEvent,"%a %m/%d/%Y %H:%M:%S") | eval duration = now() - LatestEvent | eval timediff = tostring(duration, "duration") | lookup HostTreshold host | where duration > threshold | rename host as "src_host", index as "idx" | fields - LatestEvent | search NOT (index="cim_modactions" OR index="risk" OR index="audit_summary" OR index="threat_activity" OR index="endpoint_summary" OR index="summary" OR index="main" OR index="notable" OR index="notable_summary" OR index="mandiant")   The result is below   Now how do i add  index = waf_imperva . Thanks   Regards, Roger
Hi, Code is following index=asa host=1.2.3.4 src_sg_info=* | timechart span=10m dc(src_sg_info) by src_sg_info | rename user1 as "David E" | rename user2 as "Mary E" | rename user3 as "Lucy E" ... See more...
Hi, Code is following index=asa host=1.2.3.4 src_sg_info=* | timechart span=10m dc(src_sg_info) by src_sg_info | rename user1 as "David E" | rename user2 as "Mary E" | rename user3 as "Lucy E" If number of user is 0, then we know theres is no VPN user at all. Plan is to print it out together with active VPN user in timechart if possible. Try to explain how it looks below.                                                                                                             user2                                                                                                           user3                No Vpn user                                                                                                    No VPN user time .....................................................................................................................................................................................................................................    
We are having issus with Data models from Splunk_SA_CIM running for a very long time (hitting the limit) and causing out of memory (OOM) issues on our indexers. We have got brand new physical servers... See more...
We are having issus with Data models from Splunk_SA_CIM running for a very long time (hitting the limit) and causing out of memory (OOM) issues on our indexers. We have got brand new physical servers with 128 GB RAM and 48 Cores. The Enterprise security search head cluster has data models enabled which are both running on old and new hardware. Though we are getting OOM on new hardware and every run hits our 30+ min limit. Example on configuration for auth DMA: allow_old_summaries = true allow_skew = 5% backfill_time = -1d cron_schedule = */5 * * * * earliest_time = -6mon hunk.compression_codec = - hunk.dfs_block_size = 0 hunk.file_format = - manual_rebuilds = true max_concurrent = 1 max_time = 1800 Any tips on troubleshooting data models running for a very long time and causing out of memory (OOM)? Thanks!
Hello, I received the following error, the issue resolved itself after 4 hours.  The CSV file size is 54 MB.  Streamed search execute failed because: Error in 'lookup' command: Failed to re-open ... See more...
Hello, I received the following error, the issue resolved itself after 4 hours.  The CSV file size is 54 MB.  Streamed search execute failed because: Error in 'lookup' command: Failed to re-open lookup file: 'opt/splunk/var/run/searchpeers/[random number]/apps/[app-name]/lookups/test.csv' I am aware that there already a post in regards this, but I have more questions 1)  What is the cause of this error?     Is it because of the bug like mentioned in the old post below?  I am running 9.0.4, the bug should have been fixed https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/569878 2) a) Is it because max_memtable_bytes in limits.conf  is 25MB? https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Limitsconf b) How do I check limit.conf via GUI without admin role? c)  What does "Lookup files with size above max_memtable_bytes will be indexed on disk" mean?      Is it a good thing or bad? d) If I see cs.index.alive file auto generated, does it mean it's an indexed on disk? [random number]/apps/[app-name]/lookups/test.csv [random number]/apps/[app-name]/lookups/test.csv_[random number].cs.index.alive 3)  If I am not allowed to change any setting (increase 25MB limit),         what is the solution for this issue? I appreciate your help. Thank you
Hi Guys, I am performing a POC to import our parquet files into splunk, i have manage to write a python script to extract out the events aka raw logs to a df.  I also did a python script to pump the... See more...
Hi Guys, I am performing a POC to import our parquet files into splunk, i have manage to write a python script to extract out the events aka raw logs to a df.  I also did a python script to pump the logs via the syslog protocol to HF than to indexer. I am using the syslog method because i got many log type and i can do this by using the [udp://portnumber] to ingest multiple types of logs at once and to a different sourcetype however when i do this I am not able to retain the original datatime on the raw event but it is taking the datetime on the point i was sending the event. secondly i am using python because all these parquet files are storing in a s3 container hence it will be easier for me to loop thru the directory and extract the file.  I was hoping if anyone can help me out how can i get the original timestamp of the logs? Or there are other more effective way of doing this? sample logs from splunk after index, - Nov 10 09:45:50 127.0.0.1 <190>2023-09-01T16:59:12Z server1 server2 %NGIPS-6-430002: DeviceUUID: xxx-xxx-xxx heres my code to push the event via syslog.  import logging import logging.handlers import socket from IPython.display import clear_output #Create you logger. Please note that this logger is different from ArcSight logger. #my_loggerudp = logging.getLogger('MyLoggerUDP') #my_loggertcp = logging.getLogger('MyLoggerTCP') #We will pass the message as INFO my_loggerudp.setLevel(logging.INFO) #Define SyslogHandler #TCP #handlertcp = logging.handlers.SysLogHandler(address = ('localhost',1026), socktype=socket.SOCK_STREAM) #UDP handlerudp = logging.handlers.SysLogHandler(address = ('localhost',1025), socktype=socket.SOCK_DGRAM) #X.X.X.X =IP Address of the Syslog Collector(Connector Appliance,Loggers etc.) #514 = Syslog port , You need to specify the port which you have defined ,by default it is 514 for Syslog) my_loggerudp.addHandler(handlerudp) #my_loggertcp.addHandler(handlertcp) #Example: We will pass values from a List event = df["event"] count = len(event) #for x in range(2): for x in event: clear_output (wait=True) my_loggerudp.info(x) my_loggerudp.handlers[0].flush() count -= 1 print(f"logs left to be transmit {count}") print (x)  
Hi im trying to convert this search to show totals in hours instead of days/dates can anyone help me please? index=analyst reporttype=DepTrayCaseQty Location=DEP/AutoDep* | where Dimension>0 OR... See more...
Hi im trying to convert this search to show totals in hours instead of days/dates can anyone help me please? index=analyst reporttype=DepTrayCaseQty Location=DEP/AutoDep* | where Dimension>0 OR ProtrusionError>0 OR OffCentreError>0 | table _time OrderId ProtrusionError OffCentreError Dimension * | bin _time span=1d | eval _time=strftime(_time,"%d") | eval foo=ProtrusionError+OffCentreError+Dimension | chart sum(foo) as ErrorFrequency over Location by _time useother=f limit=100 | addtotals | sort 0 - Total _time | fields - TOTAL
Hi, I am new to Splunk and couldn't figure out how to work with OpenTelemetry's histogram bucket in Splunk.  I have a basic set up of 3 buckets from OTel, with le=2000, 8000, +Inf and the bucket nam... See more...
Hi, I am new to Splunk and couldn't figure out how to work with OpenTelemetry's histogram bucket in Splunk.  I have a basic set up of 3 buckets from OTel, with le=2000, 8000, +Inf and the bucket name is "http.server.duration_bucket". My goal is to display the number count inside the 3 buckets for a 15min period, perform a calculations using those values, and add the calculated value as a 4th column. I came up with this so far:       | mstats max("http.server.duration_bucket") chart=true WHERE "index"="metrics" span=15m BY le | fields - _span* | rename * AS "* /s" | rename "_time /s" AS _time       But immediately I see 2 issues: a) the 8000 bucket results are added with 2000 bucket results as well because they are recorded as cumulative histograms. b) the values inside the bucket is always increasing, so I cannot isolate how many counts belong to 2000 bucket now vs the same bucket 15mins ago. And I realized that I don't know how to get the right calculation and separate the buckets without using "BY le", so I cannot perform calculations from there. So my question is: 1) Is there an example of function for displaying the real non-cumulative values in the histogram for a given period? 2) If my calculation is max(le=2000)*0.6 + max(le=8000)*0.4, how would I add that as a column to the search? Thanks in advance!  
Hello there: I have the following two events: Event #1 source=foo1  eventid=abc message="some message dfsdfdfgfdggfg fgdfdgfdg "time":"2023-11-09T21:33:05.0738373837278Z, abcefg" Event #2 sour... See more...
Hello there: I have the following two events: Event #1 source=foo1  eventid=abc message="some message dfsdfdfgfdggfg fgdfdgfdg "time":"2023-11-09T21:33:05.0738373837278Z, abcefg" Event #2 source=foo2 eventid=abc time: 2023-11-09T21:33:05Z I need to related these two events based on their event_id and eventid values being the same. I got help before to write that query: index=foo (source=foo1 OR source=foo2) (eventid=* OR event_id=*) | eval eventID = coalesce(eventid, event_id) | stats values(*) as * by eventID Now i need to expand the above query by extracting the timestamp from the message field from Event #1 and compare it against the time field from Event #2. I basically will need to do the timestamp subtraction between the two fields to see if there time differences and by how (second, minutes,etc.) Do u know how to do that? Thanks!    
  For new RBA users, here are some frequently asked questions to help you better get started with the product. 1. What is RBA(Risk-based Alerting)? Risk-Based Alerting (RBA) is Splunk's method to ... See more...
  For new RBA users, here are some frequently asked questions to help you better get started with the product. 1. What is RBA(Risk-based Alerting)? Risk-Based Alerting (RBA) is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts. When Splunk customers use RBA, they see a 50% to 90% reduction in alerting volume, while the remaining alerts are higher fidelity, provide more context for analysis, and are more indicative of true security issues. 2. Why RBA? With Splunk RBA, you can: Improve the detection of sophisticated threats including low and slow attacks often missed by traditional SIEM products. Seamlessly align with leading cyber security frameworks such as MITRE ATT&CK, Kill Chain, CIS 20, & NIST.  Scale analyst resources to optimize SOC productivity and efficiency 3. Fundamental terminology for RBA Risk Analysis Adaptive Response Action: Risk Analysis Adaptive Response Action is the actual response action that gets triggered either instead of or in addition to a notable event response action when a risk rule matches. It adds risk scores and security metadata to events that are stored in the risk index as risk events for every risk object. Notable Events: An event generated by a correlation search as an alert. A notable event includes custom metadata fields to assist in the investigation of the alert conditions and to track event remediation. Asset and Identity Framework: The Asset and Identity framework performs asset and identity correlation for fields that might be present in an event set returned by a search. The Asset and Identity framework relies on lookups and configurations managed by the Enterprise Security administrator. Common Information Model(CIM): The Splunk Common Information Model (CIM) is a shared semantic model focused on extracting value from data. The CIM is implemented as an add-on that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time. Risk Analysis Framework: The Risk Analysis framework provides the ability to identify actions that raise the risk profile of individuals or assets. The framework also accumulates that risk to allow identification of people or devices that perform an unusual amount of risky activities. Risk Event Timeline: Risk Event Timeline is a popup visualization that can drill down and analyze the correlation of the risk events with their associated risk score. Risk Score: A risk score is a single metric that shows the relative risk of an asset or identity such as a device or a user in your network environment over time. Risk Rule: A Risk Rule is a narrowly defined correlation search run against raw events to observe potentially malicious activity. A Risk Rule contains three components: search logic (Search Processing Language), Risk Annotations, and the Risk Analysis Adaptive Response action to generate risk events. All risk events are written to the Risk Index. Risk Incident Rule: A risk incident rule reviews the events in the risk index for anomalous events and threat activities and uses an aggregation of events impacting a single risk object, which can be an asset or identity, to generate risk notables in Splunk Enterprise Security. 4. What are the common use cases of RBA? The most common use case for RBA is detection of malicious compromise.  However the methodology can be utilized in many other ways, some of them include: machine learning, insider risk, fraud.  Machine learning: Risk-Based Alerting (RBA) is key in elevating Machine Learning from hype to practice, filtering through data noise and spotlighting actionable insights by combining domain knowledge with smart data processing. Insider risk: RBA streamlines the process of leveraging the MITRE ATT&CK framework by homing in on the critical data sources and use cases essential for a robust insider risk detection program, resulting in a more focused approach with significantly reduced development time for a mature program while providing high value insights and the capability to alert on activity over large timeframes. Fraud: The Splunk App for Fraud Analytics, driven by the RBA framework, sharpens fraud detection and prevention, particularly for Account Takeover and new account activities. It streamlines the creation of risk rules from its investigative insights, promising significant operational gains post-integration with Splunk ES. 5. What are the prerequisites for using RBA? To use RBA efficiently, you need to have Splunk Enterprise Security 6.4+ (ES) installed. 6. What is the relationship between Enterprise Security and RBA? Enterprise Security(ES) is a SIEM solution that provides a set of out of the box frameworks for a successful security operation program. RBA is the framework to surface high-fidelity, low-volume alerts from subtle or noisy behaviors, and works in conjunction with the Search, Notable Event, Asset and Identity, and Threat Intel frameworks.  7. How can I implement RBA successfully? Follow the four level approach to implementing RBA Check each step in detail using the RBA Essential Guide. 8. What RBA content should I start with? Leverage the MITRE ATT&CK framework mapped against your data sources if you're at the start of your journey OR leverage your existing alert landscape and focus on noisy alerts closed with no action. Consider ingesting a data source like EDR, DLP, or IDS with many of its own signatures and applying different risk amounts by severity. Try and paint a picture with a collection of content. Review fingerprints from successful red team intrusions or create a purple team exercise. If engaging PS, stick to one use case per day. Don't try to boil the ocean - stick to crawl, walk, run approach. It will ramp up as the foundations are set in place. 9. Where do I start and how often do I review the detections? You need events in the risk index to drive risk alerts. Start with at least 5-10 detections / rules (for smaller companies) - utilize the Essential Guide for step by step instructions Make sure they tell a story - spanning a breadth of ATT&CK phases Ensure you have a breadth of risk scores; if your threshold is 100, you want variation so that a high (75) and a low (25), or two mediums (50), or four lows (25) could all bubble up to something interesting. Discuss risk notables with your internal RBA committee on a weekly basis, and maybe monthly with leadership to discuss trends NOTE: Don't be afraid to set the risk score to zero. you have to do this in SPL: | eval risk_score = “0” 10. How to calculate risk scores in RBA? The Splunk Threat Research Team utilizes a combination of Impact, or potential effectiveness of the attack if this was observed, and Confidence as to how likely this is a malicious event. The confidence in every environment can vary, so it is important to test detections on a large timeframe and get an idea of how common this observation is in your environment and score appropriately. You may want to score an observation differently based on a signature, business unit, or anything you find happening too often, so you can also set the risk_score field in your SPL. There are examples of this in the Essential Guide as well as on the RBA Github. 11. What are the best practices for setting and adjusting risk scores as the implementation improves? It’s important to keep your threshold constant and tune your risk scores around the threshold. Risk scores are meant to be dynamic as you find what is or isn’t relevant in the risk notables that surpass the threshold from your events. Often it makes sense to lower the risk based off of attributes about a risk object or other interesting fields indicating non-malicious, regular business traffic in your detections by declaring the risk_score field in your SPL. As you advance, you can try making custom risk incident rules that look at risk events over larger amounts of time and play with increasing the threshold. 12. What are the primary challenges in the RBA implementation process? Buy-in from both technical and business (economic buyer / leadership) sides Time invested in initial development and continued documentation Familiarity with SPL (commands of value: rex, eval, foreach, lookup, makeresults, autoregress) Tuning of the risk scoring Getting the SOC involved (they are the ones intimately involved with all the noise on a daily basis) A&I is ideal, but it doesn't have to be perfect. A train wreck is ok. RBA is a JOURNEY, not a one-and-done deal. 13. How can I simulate events in the risk index for testing RBA? Splunk ATT&CK Range is the perfect fit for this: Introduction GitHub There are also open source solutions like Atomic Red Team which is also available on Github. 14. What are the most helpful self-service RBA resources?  Splunk Lantern RBA Prescriptive adoption motion NEW Standalone RBA Manual The essential guide to Risk-Based Alerting: Comprehensive implementation guide from start to finish The RBA Community hosts a community Slack, regular office hours, and common resources to help with RBA development