dashboard
WEEK_3 · DAY_20 · 1 HOUR
Risk-Based Alerting (RBA)
The modern paradigm — accumulate small risks into one notable
Learning Objectives
- ›Understand why static rules fail and RBA wins
- ›Design a risk pipeline (factors, modifiers, thresholds)
- ›Build a risk notable (sum of risk > threshold)
- ›Tune to reduce false positives 10×
Module 1 — The Problem with Static Rules
One PowerShell encoded command alone = 95% false positive.
But that + a phishing click + a logon from a new country = textbook compromise.
Static rules can't see the combination — RBA can.
Module 2 — Risk Factors
Each risk-generating search adds N points to a risk_object (system or user).
Factors multiply scores when context matches (e.g. ×3 for executive accounts, ×2 for PCI hosts).
Module 3 — Risk Notable
Hourly search: stats sum(risk_score) by risk_object → if total > 100 in 24h, fire a Notable.
The notable now packages 10 small signals into 1 high-confidence alert.
Module 4 — Tuning
Risk Analysis dashboard shows top objects daily.
Adjust scores up/down based on actual false positives over weeks.
SPL Queries
Risk notable pipeline
index=risk | stats sum(risk_score) as total_risk values(search_name) as contributing by risk_object | where total_risk > 100 | sort - total_risk
// Sum risks per entity; surface the noisy ones.
Lab 20 — Design an RBA Pipeline
- Open Splunk ES → Security Intelligence → Risk Analysis.
- Identify the top 5 risk objects.
- List 3 contributing risk searches per object.
- Recommend score adjustments and a final notable threshold.
Key Takeaways
- ✓RBA cuts alert fatigue 10×
- ✓Risk_object = system OR user — pick one per detection
- ✓Tune scores weekly with the Risk Analysis dashboard