Skip to main content
 
 
Splunk Lantern

Using risk-based alerting and detection in Enterprise Security 8.0

 

You are a security analyst or administrator using Splunk Enterprise Security 8.0 who wants to understand and implement risk-based alerting (RBA) more effectively.

Solution

This video shows you:

  • How RBA functions in Splunk Enterprise Security 8.0, including the functionality that has changed from versions 7.x and the functionality that has stayed the same.
  • Detail on the changes to terminology, such as renaming "notable events" to "findings" and "risk events" to "intermediate findings."
  • Updates to detection rules, including renaming "correlation searches" to "detections" or "detection rules."
  • The introduction of required fields for entity and risk score modifiers in findings and intermediate findings.
  • The continued use of existing risk incident rules, with optimizations for performance.
  • The addition of "finding-based detections," a preview feature offering an easier, SPL-free approach to manage and aggregate risk.

Next steps

This article has been brought to you by Splunk Education. We’ve learned that the strongest superheroes up-skill with Splunk Education. That’s why we are making Splunk training easier and more accessible than ever with more than 20 self-paced, free eLearning courses. You can start with foundational courses like Intro to Splunk or dive into more advanced courses like Search Under the HoodResult Modification, and many more. Enroll today so you have the skills to detect the good, the bad, and the unproductive.

In addition, these resources might help you understand and implement this guidance: