Skip to content
/ rba Public

RBA is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts.

Notifications You must be signed in to change notification settings

splunk/rba

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

RBA all day

Docs

Welcome to the wonderful world of Risk-Based Alerting!

RBA is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts.

Documentation

See the web based documentation at https://splunk.github.io/rba/

Searches

Useful SPL from the RBA community for working with risk events.

Dashboards

Simple XML or JSON for Splunk dashboards to streamline risk analysis.

Risk Rules

Splunk's Threat Research Team has an incredible library of over 1000 detections in the Splunk's Enterprise Security Content Updates library. You can use Marcus Ferrera and Drew Church's awesome ATT&CK Detections Collector to pop out a handy HTML file of relevant ESCU detections for you to align with MITRE ATT&CK.

About

RBA is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts.

Topics

Resources

Stars

Watchers

Forks