Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

About the Risk-based Alerting Tutorial

Splunk Enterprise Security uses risk-based alerting (RBA) to accelerate and simplify the process of detecting risk in your security environment and reduce false positives. This RBA tutorial is for security analysts and detection engineers, who have prior experience working on both the Splunk platform and the Enterprise Security app and want to use RBA to reduce alert volume and isolate threats in their security operations center (SOC).

Use this tutorial to learn how to assign risk for specific users or systems, triage incidents, and identify threat levels using RBA in Splunk Enterprise Security.

What Splunk Enterprise Security version do you need?

You must use Splunk Enterprise Security version 6.4.0 or higher to use the default risk incident rules with mapped, customizable security frameworks. To upgrade Splunk Enterprise Security to the latest version, see Upgrade Splunk Enterprise Security in the Installation and Upgrade manual.

What's in this tutorial

Use this tutorial to learn how to operationalize cybersecurity frameworks such as MITRE ATT&CK. In this tutorial, you will create risk incident rules and risk factors to detect and prioritize risk in your environment. You will also learn how to create and review risk notables to isolate threats.

How to use this tutorial

Each part in the RBA tutorial builds on the previous part. It is important that you don't skip any part.

At the end of most of the parts in this tutorial is a section called "See also". These sections contain links to Splunk documentation that provide additional information on concepts discussed in that topic.

Next step

To get started, continue to Getting started.

Last modified on 20 July, 2023
Additional resources for creating a correlation search   Part 1: Getting started

This documentation applies to the following versions of Splunk® Enterprise Security: 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters