One of the main focuses of any Security Operations Center is to review and triage generated alerts. Alerts notify the team of a potential threat, anomaly, or incident. As time goes on, adding new data sources, applications, or cloud environments can begin to overwhelm the alerting process or even cause a change in focus. Security analysts must have a way to categorize alerts by priority and level of risk. Some alerts may have a higher urgency based on the criticality of the system. For example, you might put a higher priority on an alert that has to do with your production web server rather than your email server. Splunk Enterprise Security provides the capability to change your alert priority based on your assessment of risk to your business.
Prioritization by urgency
In Splunk Enterprise Security, the notable events are assigned an urgency level of Unknown, Low, Medium, Informational, High, or Critical. These are automatically assigned based on certain settings in your correlation search and help you categorize, track, and assign the events. You can customize the default settings in order to change the priority level.
Prioritization by risk - Risk-based alerting
On the Incident Review page in Splunk Enterprise Security, you can create custom risk notables to identify threats in your environment. In your notable, you can set the fields for the
risk_object as well as the
risk_score. Doing so allows you to set a higher score for your most important assets and prioritize alerting in order to have a faster response time for the most critical threats.
What risk-based alerting and risk prioritization processes can I put in place?
Splunk recommends following the Prescriptive Adoption Motion: Risk-based alerting. This guide walks you step-by-step through managing assets, data, and alert volumes, as well as automation and understanding success and leadership buy-in.
- Implementing risk-based alerting
- Risk-based alerting provides teams with a unique opportunity to pivot resources from traditionally reactive functions to proactive functions in the SOC.
- Investigating interesting behavior patterns with risk-based alerting
- You want a better way to work with interesting events without adding extra noise to your already noisy alert environment.
- Prescriptive Adoption Motion - Risk-based alerting
- Risk-based alerting (RBA) provides teams with a unique opportunity to pivot resources from traditionally reactive functions to proactive functions in the SOC.