Then I did nothing for a while as I let the risk scoring roll in. I deployed the majority of it! We went through all the existing searches and identified their severity and whatnot and assigned a risk score based on that (increments of 20, ending at 100 for a critical this is standard for Enterprise Security as of 6.4). If you have any additional resources on RBA or Splunk ES in general please share! Thank you in advance
What metrics do you collect on Risk Objects and Risk Scores? Is it adding value to and for your SOC? What are some of the "Thresholds" that you have to meet in your environment to trigger a Notable event that leads to an investigation? How do you determine a risk score to assign to those risky events? Is there some sort of formula that you use to scale them respectively?
#Splunk enterprise security download#
This can be a broad answer, for example, right now we have - download activity, threat list hits, vulnerabilities, etc. What events in your environment do you deem "Risky" or do you have set to generate risk? I wanted to hear from anyone who is currently using the Risk-Based Alerting approach and tap in on some of the knowledge. and combat alert fatigue + too much whitelisting I found great value in the context that RBA provides when dealing with investigations vs the traditional security alert that provides very little to no context at all. conf RBA presentations and slide decks and have built and implemented a similar version in my organization's SOC.
Splunk Enterprise Security - Risk-Based Alerting(RBA) - Anyone doing this? if so, how and why?