Using risk-based alerting and detection in Enterprise Security 8.0
You are a security analyst or administrator using Splunk Enterprise Security 8.0 who wants to understand and implement risk-based alerting (RBA) more effectively.
Solution
This video shows you:
- How RBA functions in Splunk Enterprise Security 8.0, including the functionality that has changed from versions 7.x and the functionality that has stayed the same.
- Detail on the changes to terminology, such as renaming "notable events" to "findings" and "risk events" to "intermediate findings."
- Updates to detection rules, including renaming "correlation searches" to "detections" or "detection rules."
- The introduction of required fields for entity and risk score modifiers in findings and intermediate findings.
- The continued use of existing risk incident rules, with optimizations for performance.
- The addition of "finding-based detections," a preview feature offering an easier, SPL-free approach to manage and aggregate risk.
Next steps
In addition, these resources might help you understand and implement this guidance:
- Splunk Docs: About Splunk Enterprise Security
- Product Tip: Installing and upgrading to Splunk Enterprise Security 8x
- Product Tip: Using Enterprise Security 8.0 workflows
- Product Tip: Enabling auto-refresh on the Analyst queue in Enterprise Security
- Product Tip: Searching investigation artifacts with the Analyst queue in Enterprise Security 8.0