Investigating interesting behavior patterns with risk-based alerting

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

As an analyst working with Splunk Enterprise Security, you frequently look at the Incident Review panel and notice a lot of notables there. Many of these notables, on their own, aren't significant enough to warrant an alert being associated with them. However, they could warrant investigation when they occur in conjunction with other notables, indicating a pattern of behavior that could be suspicious. You want a better way to work with these events without adding extra noise to your already noisy alert environment.

Solution

Risk-based alerting allows you to alert based on combinations of observations about a user or system. It acts like a layer between observation and alerting by building risk scores that only trigger when the observations and metadata associated with that user or system reach a certain threshold.

There are several benefits associated with this:

You can improve your operational maturity. You'll move from seeing alerts associated with disconnected security events to seeing much more contextualized security stories that allow you to see patterns of behavior over time.
You can operationalize the MITRE ATT&CK framework, use frameworks like the Cyber Kill Chain framework, or even develop your own frameworks, depending on what security metadata you want to apply to individual data events.
You can reduce alert volume while increasing alert fidelity. Instead of ignoring noise, you combine observations and then alert on them in a more intelligent manner.

You can learn more about how to set up risk-based alerting in our article, Implementing risk-based alerting.

After you've got risk-based alerting set up, watch this video to see a demo of how to work with risk-based alerts in Splunk Enterprise Security. This video shows you:

How to use the event timeline to see when events occurred
How to review risk scores, MITRE ATT&CK annotations and threat objects
How risk scores are calculated and enriched with security metadata

Next steps

This article has been brought to you by Splunk Education. We’ve learned that the strongest superheroes up-skill with Splunk Education. That’s why we are making Splunk training easier and more accessible than ever with more than 20 self-paced, free eLearning courses. You can start with foundational courses like Intro to Splunk or dive into more advanced courses like Search Under the Hood, Result Modification, and many more. Enroll today so you have the skills to detect the good, the bad, and the unproductive.

For a comprehensive RBA demo and workshop, or to engage Professional Services for setting up RBA in your environment, reach out to your Splunk account team or representative. In addition, these Splunk resources might help you understand and implement this use case:

.Conf Talk: Building behavioral detections: Cross-correlating suspicious activity with the MITRE ATT&CK framework
.Conf Talk: Modernize and mature your SOC with risk-based alerting
.Conf Talk: Getting started with risk-based alerting and MITRE
.Conf Talk: Tales from a threat team: Lessons and strategies for succeeding with a risk-based approach
.Conf Talk: Full speed ahead with risk-based alerting (RBA)
.Conf Talk: Streamlining analysis of security stories with risk-based alerting
Docs: Isolate threats with risk alerting