The New & Improved Splunk Guide to Risk-Based Alerting

Howdy folks, it’s your friendly neighborhood transformational detection engineering evangelist Haylee Mills here. Maybe you’ve already been introduced to risk-based alerting, or maybe you’ve seen one of my many talks on the subject:

• SEC1215B - Making Friends With Threat Object: Automation, Tuning, and Threat Hunting With Risk-Based Alerting
• SEC1113A - Streamlining Analysis of Security Stories with Risk-Based Alerting
• SEC1992B - Blue Team Academy: Cybersecurity Defense Analyst - Risk and Risk Notables for Analysts
• SEC1144C - Curating your Risk Ecology: Making RBA Magick

Even if you haven’t, I’m super excited to share a brand new version of my step-by-step guide to success with the risk-based alerting framework! Initially released in 2022, I designed it with customers of any skill level in mind because utilizing this exciting — but different from traditional alerting — method means building something that isn't a flick-the-switch solution; this is investing in your people with a product to transform your security approach.

The reason it’s so powerful is because it allows you to:

• Reduce the number of overall alerts while increasing the fidelity of alerts that arise
• Define and produce internal threat intelligence to identify normal or anomalous behavior
• Create high-value detections from traditionally noisy data sources, which align to popular cybersecurity frameworks like MITRE ATT&CK, CIS18, or the Lockheed Martin Cyber Kill Chain
• Develop a valuable risk library of metadata-enriched objects and behaviors for manual analysis or machine learning

So What’s New?

I’ve reviewed the entire guide and made sure to include the many contributions of the RBA Community to the RBA GitHub where relevant, the amazing Splunk .conf talks from customers over the past two years, as well as some great feedback and better SPL throughout from the incredible Splunk wizard Gabriel Vasseur. After many customer calls where they’ve definitely read the guide, but maybe missed a key point because I didn’t repeat it enough, I’ve also added the Five RBA Building Blocks to reiterate some important points:

Build in Parallel

Not every piece of RBA needs to be fully developed and finished to start on the next piece. CIM data normalization is important, datamodels (and especially *accelerated datamodels*) are important, the Asset & Identity framework is important, but don’t let perfection get in the way of good! When you do tighten up these other bits, it will improve RBA, but they aren’t showstoppers.

Build Threat Object

Threat object is invaluable for tuning, SOAR enrichment, and finding anomalous behavior. Incorporate it at the start! You can take a look at Stuart McIntosh from Outpost Security and my .conf23 talk to get a better idea of how useful this is, but please take my word for it. I’ve gotten on many customer calls where I see an issue that would be so much easier to diagnose, adjust, and remediate if they only had threat object fleshed out in their correlation searches.

Build Rule Diversity

You need a variety in scores and sources for RBA to really show its value. If you only have one data source in your risk index or your scores are all flat, you’re missing out on the power of things threading together in interesting ways.

Build Signature Based Sources

Signature based sources for risk events like IDS, DLP, EDR, or cloud alert logs bring a lot of diverse content online very quickly. This ties into the above point, because these signature based sources bring a lot of visibility on many behavior types very quickly. Decide what you investigate with direct alerts (maybe high and critical severity), everything else is perfect for risk.

Build Noisy Content into Risk

One of the most impactful things RBA can do is remove busywork from your analyst queues. If your analysts are closing out alerts with no action the majority of the time, those alerts should be in RBA. If they’re closing it out with action every time, that’s a great candidate for SOAR automation.

What Now?

What are you waiting for? Go download the new-and-improved Splunk Guide to Risk-Based Alerting and you’ll be well on your way. Also, please come join us in the RBA Community and feel free to ask questions on the Slack anytime or join us in the monthly Office Hours.