Risk-based alerting is gaining traction in the SOC: by using multiple-lower fidelity searches to yield higher-fidelity investigations, it allows analysts to rapidly prioritize investigations, correlate “risk objects” between alerts, identify gaps in monitoring, and generally understand attack narratives. We'll discuss the first steps needed to transition from the traditional one-to-one ticket investigation model to this holistic approach, i.e. how risk-based alerting works, a description of prerequisites, and dashboard optimization. We will also discuss how to start building a comprehensive search inventory based on Splunk analytics, MITRE, and your own threat intelligence.

Speaker(s)
Bryan Turner, IT Security Analyst, Publix Super Markets

Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1538.pdf?podcast=1577146233