UPCOMING WEBINAR

What's New: 

The problem of alert fatigue has been a plague within most SOC environments regardless of the SIEM tool being used. The industry has been using correlation rules to examine data sources for anomalies which consistently create too many results or “alerts”. Analysts are flooded with these alerts and forced to try to investigate every one of them. This either results in only high priority results being investigated while ignoring all of the others or only a very small amount of time is dedicated into looking into a subset of the alerts which often results in a failure to identify complicated threats.

During this webinar, we'll embark on an introductory journey into the realm of risk-based alerting. Our exploration will encompass comprehending its essence and delving into its implementation. Witness risk-based alerting in live action through a demonstration, accompanied by a swift overview of laying its foundation.

RBA Vision: 

“A world where analysts are no longer swimming in a sea of false positives, and are able to focus on real security work.”

RBA, or Risk Based Alerting, is a conceptual approach where analysts receive and respond to only to Risk Based Notable Events, which are alerts that tell the larger story. In this approach, existing use cases, now known as Risk Rules, are collected only to the risk index, as investigatory items or indicators of compromise. Included in these events are some key pieces of enrichment, as well as intelligently driven risk scoring. In a pure RBA deployment, Risk Rules are not intended to be sent to the notable index, except in specific scenarios defined by the customer (high fidelity alert, etc). As Risk Rules collect these indicator events, the risk index is now correlated against by Risk Incident Rules, which in turn create Risk Based Notable Events

Tune in to hear about the benefits of Splunk RBA: