back to day 20
WEEK_3 · DAY_20 · LAB
Lab 20 — Design an RBA Pipeline
The modern paradigm — accumulate small risks into one notable
LAB PROGRESS0/4 steps · 0%
Lab Objectives
- ›Understand why static rules fail and RBA wins
- ›Design a risk pipeline (factors, modifiers, thresholds)
- ›Build a risk notable (sum of risk > threshold)
- ›Tune to reduce false positives 10×
Lab Instructions
- 1Open Splunk ES → Security Intelligence → Risk Analysis.
- 2Identify the top 5 risk objects.
- 3List 3 contributing risk searches per object.
- 4Recommend score adjustments and a final notable threshold.
SPL for this Lab
Risk notable pipeline open in Splunk
index=risk | stats sum(risk_score) as total_risk values(search_name) as contributing by risk_object | where total_risk > 100 | sort - total_risk
// Sum risks per entity; surface the noisy ones.