splunk>enterprise
Administrator ▾Settings ▾
ES
Enterprise Security
Splunk App for Enterprise Security · v7.3.0
DAY 20 LAB · LAB 20 — DESIGN AN RBA PIPELINE· week 3
Design an RBA pipeline — sum small risks into one notable.
- ›Security Intelligence → Risk Analysis.
- ›Identify top 5 risk objects.
- ›Build a search: sum(risk_score) > 100 → fire Notable.
- ›Tune scores.
Hint: RBA cuts alert fatigue 10× — escalate only when accumulated risk crosses threshold.
Security Intelligence · Risk Analysis
Highest Risk Objects (computed)
| risk_object | type | sum(risk) |
|---|---|---|
| admin_svc | user | 256 |
| 10.4.12.91 | system | 168 |
| 10.4.12.50 | system | 88 |
MITRE ATT&CK Techniques (live)
| technique | count |
|---|---|
| T1486 | 1 |
| T1021.002 | 1 |
| T1136.002 | 1 |
Drill-down
Risk scores aggregate live from current notables. Run adaptive responses in the modal to see scores update.