Download topic as PDF
Reduce alert volumes by triaging notables
Buttercup Games, a fictitious company, runs an e-commerce site to sell its products. Ram, a security analyst at Buttercup Games, triages incoming notables from correlation searches and opens investigations to assess risk to his organization. He receives over 10,000 notables every day, 25-30% of which may be closed with a disposition other than true positive.
Despite Ram's best attempts to triage all notables and delegate the investigations, manually selecting notables for triage forces him to abandon certain notables that he deems less risky. Sifting through the high volume of notables causes Ram to burn out quickly. The high volume of notables also results in slow threat detection and response time, which exposes Ram's organization to security threats.
Kay, the manager of the security operations center (SOC) at Buttercup Games and Ram's manager, wants to streamline the manual and monotonous triage process. Kay knows that Ram can potentially overlook the risks in the SOC and asks Ram to use dispositions and other features available in Splunk Enterprise Security to triage notables and prioritize them for the detection engineer, Milly, to investigate. Therefore, Ram assigns dispostions to the notables, which enables Milly, the detection engineer to study those dispositions as part of the tuning process and prioritize the investigations and focus on the notables that pose the highest threat.
This use case describes how Ram uses dispositions to separate notables that are false positives from notables that represent real threats while reducing alert fatigue and risk in the SOC of Buttercup Games by taking these steps.
|
PREVIOUS Adjust risk scores for specific objects |
NEXT Add dispositions to risk notables |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0
Feedback submitted, thanks!