Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Modifying risk incident rules based on the search results

Modify the risk incident rules based on the search results prior to deploying risk-based alerting in a production environment.

Initially, RBA might lead to more alerts. While this seems counter-intuitive, it helps you to improve the risk index and fine tune alerts. As an analyst, you must invest time to curate your risk index and identify how to customize RBA to your unique needs over time.

You can assign a low risk score to the risk incident rule, so that it rarely generates alerts if you determine that it represents a low threat. The risk scores associated with assets and identities represent only a single component within the detection process and the risk notable searches that the analyst tunes based on prior experience and knowledge helps to construct stories that can detect threats, prioritize investigations, run adversary simulations, and define threat hunting perspectives.

See also

Configure correlation searches in Splunk Enterprise Security

Last modified on 12 April, 2023
Customizing risk factors by applying conditions to data fields   Suppressing false positives using alert throttling

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters