Empowering a Smart Security Posture with Risk-Based Alerting (RBA) 

In an era defined by digital innovation and interconnectedness, the landscape of cybersecurity continues to evolve at a rapid pace. As best practices like Risk-Based Alerting (RBA) aid organizations in navigating complex threat landscapes and digital transformations, mastering effective strategic approaches to cybersecurity becomes paramount. At SP6, we not only provide cutting-edge cybersecurity consulting leveraging Splunk technology but also emphasize the critical role of our security domain expertise in driving impactful initiatives like Risk-Based Alerting (RBA).  

The Value of Using Risk-Based Alerting (RBA) 

Risk-Based Alerting represents a paradigm shift in cybersecurity strategy, focusing on proactive threat detection, risk prioritization, and targeted suspicious activities. Powered by Splunk’s advanced capabilities, our approach goes beyond traditional reactive measures to empower organizations with real-time visibility, actionable insights, and adaptive security measures. 
“Implementing Splunk RBA has significantly improved our security team’s efficiency by reducing alert fatigue and allowing us to concentrate on high-risk events.” – Chief Information Security Officer (CISO) at a Fortune 500 company  

The Splunk RBA Model 

The Splunk RBA model is the cornerstone of an efficient security detection approach. It shifts the detection from the traditional alerting on every suspicious or malicious activity (which can highly be a false positive alert, and creating many of these detections in the environment can cause a lot of noise that usually leads to alert fatigue) to be more effective, smart, and proactive detection. It achieves this by correlating activities and integrating them with the RBA Model which focuses on those three main rules:  

  • Score threshold 100 exceeded over 24 hours: This alert uses combined scores of events to trigger an alert.  
  • Events from multiple source types over 3 days: This alert uses three unique data sources that generate events from a single machine. 
  • Multiple MITRE ATT&CK tactics observed over 7 days: This alert uses observations tagged with MITRE ATT&CK tactics and techniques. 

RBA Model Example  

Imagine a large financial institution that relies heavily on its digital infrastructure for operations. Within this institution, there’s a robust cybersecurity system in place that constantly monitors for potential threats. Now, let’s consider a scenario where an attacker attempts to breach the system using a combination of sophisticated techniques. 

Initial Intrusion Attempt: The attacker tries to gain unauthorized access to the institution’s network using a phishing email campaign. This action triggers the first risk event in the cybersecurity system, but it’s flagged with a low-risk score because it’s a common occurrence and doesn’t seem particularly alarming on its own. 

Lateral Movement: Once inside the network, the attacker starts probing different systems and attempting to move laterally to escalate their privileges. Each attempt triggers additional risk events, each with its own low-risk scores, as they try various techniques to navigate the network undetected. 

Data Exfiltration Attempt: As the attacker progresses, they identify sensitive data stored within the institution’s databases. They attempt to exfiltrate this data out of the network, triggering another risk event. Again, individually, each of these events might seem relatively minor. 

MITRE ATT&CK Techniques: Without the knowledge of the attacker, their actions align with specific techniques outlined in the MITRE ATT&CK framework, such as Initial Access, Execution, and Exfiltration. While each action may not raise alarms, the correlation with these well-known techniques adds weight to the collective risk. 

Unique Data Sources and Time Frames: The cybersecurity system not only tracks these events but also associates them with unique data sources across various time frames. For instance, it notes unusual activity during non-business hours, access attempts from unrecognized IP addresses, and deviations from typical user behavior. 

Now, despite each of these individual risk events being assigned a low score, the Risk-Based Alert (RBA) engine within the cybersecurity system identifies a pattern. It recognizes that these seemingly disparate events, when viewed together, indicate a coordinated and sophisticated attack. The RBA engine correlates these events, taking into account their alignment with specific MITRE ATT&CK techniques and the unique data sources and time frames involved. 

As a result, even though the system generates only a single risk notable alert, it effectively communicates the severity of the situation to the security analysts. The correlated alerting provided by RBA tells a high-fidelity security story, enabling analysts to understand the full scope of the threat and take appropriate action to mitigate it before significant damage occurs. 

RBA Model Main Components  

It encompasses key components that enable organizations to assess and mitigate risks effectively: 

Risk Factor: This is the foundation of RBA. It assesses the risk associated with each object (Asset or Identity) in the event or alert based on factors like priority, severity, relevance, and compromise impact on the organization. 

Risk Rules: A risk rule is a specific type of correlation search created to analyze raw events to identify potential signs of malicious behavior. 

Risk Scores: Each object in an alert is assigned a risk score based on the risk factor and rules. This score helps prioritize alerts, with higher scores indicating greater urgency or severity. 

At SP6, we have excellent security experts who work hand in hand with our clients to utilize the Risk Factor and Risk Scores by assessing the risk associated with each object (Asset or Identity) based on factors such as priority, severity, relevance, and potential impact on the organization. And because of the high importance of these components, SP6 will help the client by deep diving into the client’s Assets and Identities structure and making sure that they have been ingested, normalized, and tagged efficiently. 

This foundational analysis ensures that alerts are prioritized effectively, focusing resources where they are most needed because Splunk will be monitoring these objects and assessing the scores as defined and alarm on any high-risk activities using the rule (Score threshold 100 exceeded over 24 hours). 

To effectively counter the meticulous planning and execution of attacks by threat actors, security operators often face challenges in guaranteeing the adequacy of their defenses. Utilizing the MITRE ATT&CK framework in conjunction with Splunk Enterprise Security and the RBA Model enables the organizations to verify the implementation of security practices across a wide range of potential attack vectors.

By mapping the detection rules to their relevant MITRE ATT&CK framework TTPs (Tactics, Techniques, and Procedures), we are assessing coverage and identifying defense gaps. By integrating these rules into the RBA model, Splunk will be able to correlate these detections and detect continuous and connected suspicious activities using the rule (Multiple MITRE ATT&CK tactics observed over 7 days). 

By integrating these components seamlessly into the security operations, SP6 will ensure a comprehensive and responsive approach to risk management, ultimately delivering a high standard of service and safeguarding your digital assets effectively. 


Dive into the future of cybersecurity with our cutting-edge service offering: Implementing Splunk RBA (Risk-Based Alerting). By leveraging Splunk’s advanced analytics and risk prioritization, we empower your security operations to focus on what truly matters – identifying and responding to high-risk threats efficiently.

SP6’s approach not only streamlines alert management but also aligns your security strategy with your business objectives, ensuring a proactive and resilient defense against evolving cyber threats. Join the ranks of industry leaders who trust our expertise to safeguard their critical assets effectively in today’s complex threat landscape. 

Learn more from Splunk Core Certified Professionals in our webinar: Mastering Risk-Based Alerting in Splunk ES & Splunk SOAR: Enhance Security Operations!