About the Risk-based Alerting Tutorial

Splunk Enterprise Security uses risk-based alerting (RBA) to accelerate and simplify the process of detecting risk in your security environment and reduce false positives. This RBA tutorial is for security analysts and detection engineers, who have prior experience working on both the Splunk platform and the Enterprise Security app and want to use RBA to reduce alert volume and isolate threats in their security operations center (SOC).

Use this tutorial to learn how to assign risk for specific users or systems, triage incidents, and identify threat levels using RBA in Splunk Enterprise Security.

What Splunk Enterprise Security version do you need?

You must use Splunk Enterprise Security version 6.4.0 or higher to use the default risk incident rules with mapped, customizable security frameworks. To upgrade Splunk Enterprise Security to the latest version, see Upgrade Splunk Enterprise Security in the Installation and Upgrade manual.

What's in this tutorial

Use this tutorial to learn how to operationalize cybersecurity frameworks such as MITRE ATT&CK. In this tutorial, you will create risk incident rules and risk factors to detect and prioritize risk in your environment. You will also learn how to create and review risk notables to isolate threats.

How to use this tutorial

Each part in the RBA tutorial builds on the previous part. It is important that you don't skip any part.

• Part 1: Getting started
• Part 2: Raise the risk score of watchlisted users using risk factors
• Part 3: Create a risk incident rule
• Part 4: Review risk using the Risk Analysis dashboard
• Part 5: Review risk notables
• Part 6: Suppress risk notables to reduce alert noise

At the end of most of the parts in this tutorial is a section called "See also". These sections contain links to Splunk documentation that provide additional information on concepts discussed in that topic.

Next step

To get started, continue to Getting started.