Giters

splunk / rba

RBA is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts.

Home Page:https://splunk.github.io/rba/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

rbasplunksplunk-rba

RBA all day

Docs

Welcome to the wonderful world of Risk-Based Alerting!

RBA is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts.

Documentation

See the web based documentation at https://splunk.github.io/rba/

Searches

Useful SPL from the RBA community for working with risk events.

Dashboards

Simple XML or JSON for Splunk dashboards to streamline risk analysis.

Risk Rules

Splunk's Threat Research Team has an incredible library of over 1000 detections in the Splunk's Enterprise Security Content Updates library. You can use Marcus Ferrera and Drew Church's awesome ATT&CK Detections Collector to pop out a handy HTML file of relevant ESCU detections for you to align with MITRE ATT&CK.

About

RBA is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts.

https://splunk.github.io/rba/

rbasplunksplunk-rba