Risk-Based Alerting (RBA) for Splunk Enterprise Security Explained—Bite-Size Webinar Series (Part 3)
Summary
TLDR本次网络研讨会是关于基于风险的警报(RBA)的,这是企业查询安全系列的第三部分。主讲人首先介绍了与网络监控和即时响应管理相关的控制,然后解释了为什么RBA是一个有用的方法,以及它如何与风险框架相结合。接下来,讨论了成功实施RBA所需的配置和使用,并通过演示展示了其工作原理。RBA通过收集可疑行为数据、应用风险评分和注释,然后在风险指数中进行聚合,仅在达到一定阈值时发出警报,从而减少噪声并提高警报的保真度。此外,还介绍了如何使用Splunk安全基础和企业安全构建中的风险数据模型、指示器规则和仪表板来实现RBA。
Takeaways
- 📈 风险基础警报(RBA)是企业查询安全系列的第三部分,旨在通过风险框架改善安全警报系统。
- 🔍 RBA通过减少警报数量的噪音,帮助安全团队更快地响应真正的威胁,避免警报疲劳和人员流失。
- 🛡️ 两个关键的CIS控制(13和17)与网络监控防御和即时响应管理相关,是实现RBA的基础。
- 🤖 RBA的工作原理是首先收集可疑行为的观察结果,然后将其发送到风险指数,并应用风险评分和注释。
- 👀 实践中,RBA通过累积多个事件的风险分数,当超过一定阈值时触发警报,确保分析师只关注高风险事件。
- 🔑 实现RBA时需要考虑的关键因素包括为每个规则分配的风险分数、感兴趣的阈值或度量标准,以及哪些相关性规则适合基于风险的学习。
- 🛠️ Splunk安全基础(Splunk Secure Essentials)提供了与风险相关的内容,帮助用户过滤和找到适合RBA用例的内容。
- 📊 风险数据模型和风险指标规则是Splunk Enterprise Security中用于分析和管理风险数据的重要工具。
- 📚 通过Splunk的安全智能风险分析(Security Intelligence Risk Analysis)仪表板,可以深入了解环境中风险的分布和相关性。
- 🔗 风险框架允许通过相关性搜索创建事件,然后使用自适应响应动作来产生风险并将其应用到风险指数中。
- 📝 风险因素编辑器允许动态调整规则应用的风险,基于特定条件(如管理员用户或关键资产)增加风险评分。
Q & A
什么是基于风险的警报(Risk-Based Alerting)?
-基于风险的警报是一种安全方法,它通过收集和评估可疑行为,将其分类为观察结果,并发送到风险指数中。与传统的直接警报不同,它通过应用风险评分和注释来识别异常行为,然后在风险指数中寻找行为的集合或相关性,并在达到一定阈值时发出警报。
为什么需要基于风险的警报(RBA)?
-传统的警报系统常常因为过多的警报而导致安全团队不堪重负,这可能导致警报被忽略、检测响应变慢以及安全人员的疲劳和流失。RBA旨在减少这种噪音,通过更智能的方式提高警报的相关性和准确性。
CIS控制13和17在基于风险的警报中扮演什么角色?
-CIS控制13关注于网络监控和防御,强调建立和维护全面的网络监控以及对企业网络安全威胁的防御。CIS控制17则关注即时响应管理,能够快速响应攻击并提供更多信息。这两个控制为基于风险的警报提供了必要的安全监控和响应机制。
如何实施基于风险的警报?
-实施基于风险的警报需要首先收集相关数据,然后应用风险评分和注释,观察可疑行为并将其发送到风险指数。接着,在风险指数中寻找行为的相关性,当风险达到一定阈值时发出警报。
在基于风险的警报中,如何确定警报的阈值?
-警报的阈值可以根据不同的条件来确定,不一定要基于一个固定的分数。可以是涉及的战术数量、不同用例或搜索触发的次数,或者是多个不同技术或战术的组合。
什么是风险框架(Risk Framework)?
-风险框架是企业安全的一个基本框架,它通过创建相关性搜索、触发警报、应用风险并将其纳入风险指数,然后通过风险数据模型提取信息,用于风险指示器规则的警报。
如何配置和使用基于风险的警报?
-配置和使用基于风险的警报需要考虑应用到每个规则的分数、感兴趣的阈值或度量,并确定哪些相关性规则适合基于风险的学习以及哪些规则需要警报。此外,还需要通过应用程序如Splunk Secure Essentials来管理和查看风险数据。
如何通过Splunk Secure Essentials应用进行风险管理?
-在Splunk Secure Essentials应用中,可以查看和管理所有与风险相关的配置,包括保存的搜索、宏、查找等。该应用包含了风险数据模型、开箱即用的研究、风险指示器规则以及风险仪表板和宏。
风险因素编辑器在基于风险的警报中起什么作用?
-风险因素编辑器允许根据特定条件动态调整规则应用的风险。例如,如果用户是管理员,可以增加风险分数,以反映更高风险的情况。
如何通过Splunk Enterprise Security查看和管理风险事件?
-在Splunk Enterprise Security中,可以通过查看相关性搜索、启用的内容以及风险事件来管理风险。可以通过风险仪表板查看风险分数、活动源和风险事件的详细信息,以及进行威胁狩猎。
如何通过风险分析提高对环境风险的洞察力?
-通过安全智能风险分析,可以详细查看环境中的风险情况,包括按对象的风险分数、最活跃的源等。这可以帮助安全分析师快速了解哪些资产面临更高的风险,并采取相应的响应措施。
Outlines
😀 风险基础警报概述
本段介绍了网络研讨会的主题——基于风险的警报(RBA),它是Splunk安全系列的第三部分。讨论了RBA在风险框架中的重要性,以及如何通过RBA提高企业安全。提到了CIS控制13和17,分别涉及网络监控和防御以及即时响应管理。强调了传统警报方式的不足,如警报过多导致的分析师疲劳和响应迟缓,而RBA旨在通过减少噪音和提高警报质量来解决这些问题。
🔍 RBA的工作原理与实践
详细解释了基于风险的警报(RBA)的工作原理,包括观察可疑行为、将行为分类为观察结果、将观察结果输入风险指数,以及如何对这些观察结果应用风险评分和注释。讨论了在风险指数中寻找行为模式,并在达到一定阈值时发出警报的过程。通过一个实际案例,展示了如何随时间积累风险分数,并在超过阈值时发出警报,从而提高警报的覆盖范围和准确性。
🛠️ RBA的配置与应用
探讨了实施RBA时需要考虑的关键因素,包括为每个规则分配风险评分、确定感兴趣的阈值或度量,并思考哪些相关规则最适合基于风险的学习。介绍了风险框架的设置,包括创建相关搜索、触发警报、适应性响应动作以及风险数据模型的应用。还提到了如何通过安全分析师反馈和威胁狩猎来增强风险框架,并介绍了Splunk的安全威胁情报应用。
📚 风险相关用例的探索与配置
介绍了如何在Splunk安全基础中找到与风险相关的用例,包括合规性、应用程序安全监控等内容。讨论了如何通过智能安全基础或分析顾问来过滤和推荐基于风险的内容。还展示了如何在Splunk企业安全中配置相关搜索,并详细解释了如何通过相关搜索进行注释,以及如何使用风险因子编辑器动态调整风险评分。
📊 风险分析与响应
本段深入介绍了如何通过Splunk的安全智能风险分析来查看和管理风险事件。展示了如何通过风险指标规则触发警报,并在达到特定阈值时创建显著事件。讨论了如何通过风险事件和风险对象来提供对分析师的深入洞察,以及如何使用这些信息来进行威胁狩猎和响应。最后,介绍了如何在安全情报风险分析中查看风险分数、高风险对象和最活跃的来源,以及如何使用这些数据来调整风险策略。
📞 结语与后续步骤
在网络研讨会的最后,提供了关于如何获取更多信息的指导,包括通过电子邮件联系Splunk Associates或在YouTube上观看研讨会录像。预告了系列的下一集,将专注于威胁情报和威胁框架。
Mindmap
Keywords
💡风险基础告警(Risk-Based Alerting)
💡企业安全(Enterprise Security)
💡CIS控制(CIS Controls)
💡风险框架(Risk Framework)
💡安全事件(Security Incidents)
💡风险评分(Risk Scoring)
💡风险指数(Risk Index)
💡事件关联(Event Correlation)
💡Splunk安全基础(Splunk Secure Essentials)
💡威胁情报(Threat Intelligence)
Highlights
本次网络研讨会是关于基于风险的警报(Risk-Based Alerting, RBA)的,这是企业查询安全系列的第三部分。
基于风险的警报是企业安全框架中一个基本的方法,有助于减少警报数量,并提高响应效率。
CIS控制13和17是与网络监控和即时响应管理相关的两个重要控制。
普通事件警报可能导致警报泛滥、警报抑制、检测响应缓慢以及分析师疲劳和流失。
基于风险的警报通过收集可疑行为信息并应用风险分数来减少噪音。
风险指数(Risk Index)用于收集和关联可疑行为,以便在达到一定风险阈值时触发警报。
通过多个事件的累积,可以更精确地确定何时应该发出警报。
基于风险的警报可以提供更广泛的覆盖范围和更高的警报保真度。
需要考虑为每个规则分配什么分数,以及我们感兴趣的阈值或度量标准是什么。
风险框架的设置包括创建相关性搜索、触发警报、适应性响应行动以及风险数据模型。
Splunk安全基础(Splunk Secure Essentials)提供了与风险相关的内容,帮助用户过滤和找到合适的用例。
风险因子编辑器允许基于特定条件动态调整规则应用的风险。
在索引中查看风险数据可以提供对环境中风险事件的洞察。
风险指示规则(Risk Indicator Rules)用于确定何时基于风险数据发出警报。
风险事件的审查提供了关于资产风险的详细信息,包括风险分数和相关注释。
安全情报风险分析提供了关于环境中风险应用的详细视图和数据。
网络研讨会结束后,参与者可以通过电子邮件或YouTube获取更多信息或观看回放。
Transcripts
hello and welcome to the webinar this
one's on risk-based alerting the
frontier of Enterprise query part of our
Splunk bite size security Series this is
webinar number three if you haven't seen
the first two so what are we talking
about today well
we're going to start again uh like the
last one on sys controls and really why
this is useful why risk-based alerting
is an approach that should be useful my
RBA in the risk framework how that kind
of comes together why the risk framework
as being a fundamental framework of
Enterprise security
the vital questions again just to make
sure that we have a successful
implementation what do we need to have
in place
how to configure use it and then we'll
also have a look at it as well we'll go
through a demonstration of it all so
that's the plan
so first off let's look at the couple
assist controls that are relevant to
here so we've got ciscontrol 13 which is
network monitoring and defense
um operator processes tooling to
establish and maintain comprehensive
network monitoring and defense against
security threats across the Enterprise
Network infrastructure and user base so
really just having same kind of Concepts
in place centralized security alert
event alerting 13.1 so making sure that
we have a seam and everything comes into
one place uh that's kind of the sort of
basis of having a scene really
and then second we've got the CIS
controller 17 which is instant response
management being able to kind of
correlate information together uh to be
able to detect or quickly respond to an
attack and have more information at the
fingertips so that's the reasons for it
right
so
why RBA well
as opposed to the ordinary sort of
notable kind of events or it's secure
incidents directly well essentially
because we're seeing this out in the
world more and more stocks are being
overwhelmed with the amount of alerts
and what that really leads to is abandon
the suppressed alerts slow detection
response and Alice burnout and turnover
of stuff unfortunately so really there
needs to be a better way of doing it and
RBA hopefully is there to the rescue to
kind of reduce a lot of that noise
um and make it a lot better so how's it
really work well
first off what we do is we take
correlations same as what we did
previously things that we want to be
interested in suspicious Behavior should
we say and then instead of directly
alerting art we now class it as an
observation we observe this effect and
send it into a Risk Index so we collect
that information as a subset of the data
that's already there right and we're
seeing the suspicious information
we then apply risk scores to it we apply
annotations to it whether it's the micro
attack annotations and really we're
looking for all those outliers of the
standard behavior
um and that then we look at inside the
Frisk index to see collections or
correlations of behavior known more bad
behavior or against policy Behavior or
suspicious behavior and essentially what
we then do is we alert on top of that
so if we see everything and it's all
tied to a particular entity whether it's
a user or a device and then we start
applying risk to that and then we when
it gets to a certain threshold we alone
so how does this look in practice well
multiple events okay so at 9 55 maybe
we've got a potential spear fishing
observed now do we know that anything's
actually occurred there there's a
security incident or is it just
something that's happened right
I sat in 10 points to the risk all right
now 1 23 PM so quite a bit later there's
some software that's been running on
this particular device right so we've
applied risk to the device we've now got
another 20 pieces of points of risk
because something that we've maybe not
seen before or started running in this
device
then a minute second or a minute later
basically another commands being run
disabling certain security controls okay
well okay it's starting to get a little
bit a lot more risky really we've got to
about 50 points right now then we see
some Powershell that's suspicious then
we see in service being installed okay
we're at 90 points and then at 2 15 p.m
we see suspicious lateral movement okay
so over time we've now accumulated
enough to say right I want to alert on
this I want my analysts to spend their
time because their time is precious to
spend their time investigating what's
going on here okay so now because we're
over 100 points what we do is we have a
risk into the rule so anything's over
100 points in a 24-hour period as in
this one then we send an alert and
that's just straight to the analyst
there for
um for investigation what this really
means is two things right first we have
far more coverage right we can do a lot
more
use cases in this way
than we could in a direct notable
because there just was too much noise
okay but we can also present back very
much higher Fidelity alerts when they
come back to them so analysts will see
all of this information about this asset
and know instantly that okay there's a
lot of a lot of bad things going on
maybe we need to lock the asset down or
whatever or even you can send that into
automation because you've got a lot
better confidence in the actual alert
itself
so this is how it works
sounds great so what's the most
important things to rethink about right
so we obviously need to think about what
score we need to apply to each rule
um we need to think about what
thresholds or measures we're interested
in now this isn't always just a score
threshold right it doesn't have to be
100 points and I'll show you in the demo
in fact other ways of doing it could be
the number of tactics that are involved
it could be the number of different use
cases or searches that have kind of
triggered the same search triggers over
and over again and it's a threshold
that's probably not as interesting as
something where multiple different
techniques or tactics have been involved
okay so there's lots of different things
that we can do there and we can do
combinations of these one of the ones I
saw very recently at dot conf is the
concept um very very makes a lot of
sense really is using an analytics story
and if you ever see all the different
correlation searches that trigger over
an analytics story then alert on it
right so lots of different ways of
creating these alerts it doesn't have to
be tied down to a particular score and
but squaring is obviously the sort of
Baseline kind of level should we say we
also need to think about what
correlation rules are ideal for
risk-based Learning and which ones do we
actually want to know to alert for right
because if we want a notable event
directly because it's really known bad
and it shouldn't happen at all then
that's fine that's not a problem not
everything has to go into risk-based
alerting and in a lot of cases what
you'll actually have is a number of
alerts a large number of alerts that go
just far into risk-based learning some
alerts that do both
and then which you want to alert and
give you more context behind and then
some alerts are just a direct notable
just deal with them as they are
individually don't need any sort of
background to
so
it's just kind of going through all of
your use cases and figuring out which
ones are are good for which side really
so the risk framework this is kind of
how it sets up so
um basically what we do is we create
correlation searches those correlation
searches then create a an event okay a
notable event uh or sorry they trigger
an alert that adaptive response action
is then used as a risk adaptive response
action and that produces risk and
applies it into the Risk Index it's a
summary index basically there is then a
data model that sits on top of it for
the risk data model and essentially that
will kind of extract all the information
out there and that's what we look upon
that accelerated date model to be able
to alert on use our risk indicator rules
now this can also feedback a security
analysts we'll be able to see different
things going on they can do threat
hunting within the risk info they don't
have to wait for a natural alert and
when they find anything in there then
they can send an ad hoc risk entry into
the index if they want to
um at any point throughout that sort of
timeline they can go and add in ad hoc
risk entries that's another way of
adding into the risk framework
one app that's kind of really important
in this
um and a similar in a sense to what the
previous uh webinar was on right this
one's about essay threat intelligence
this is where we contain all the risk
stuff out of the box it's a supporting
application
um which is the sa piece
um of an Enterprise security build so
you'll see it in Splunk Cloud you'll see
it on on-prem um and inside here it
contains the risk data model it contains
all the out-of-the-box researchers risk
indicator rules
and it contains wrist dashboards as well
as macros and everything else so this is
really the kind of place that you want
to have a look if you want to kind of go
through all the risk side of things
so with that let's go and actually have
a look at it
so we're starting here in the all
configurations page specifically in that
essay threat intelligence application
and we're going to see everything that's
created in the app with that risk right
so we can see the saved searches these
are the top two or the out of the box
risk indicator rules okay so these are
the things that are creating notable
events we can see all the different risk
kind of save searches that go on in the
background we can see macros that are
doing things as well we can see ways of
applying macros to users or so forth so
that fields are extracted that says user
risk and stuff like that
um include the lookups
so you can see that risk being applied
so you you know so you get a constant
update in your searches where risk is
there what's the level of risk for this
particular thing
um so all that so if you want to have a
look a little bit more detail about
what's in there then that's the sort of
place to see um so there's 54 items you
could look through
now where I want to start this kind of
Journey Through risk is really about how
we can start thinking about what sort of
risk we want now spunk secure Essentials
is written with risk Concepts in mind so
you can actually find content you can
click on find content you can go to
risk-based alert and content across the
right hand side and then you can pick
the particular category of content that
you're looking for maybe it's compliance
maybe it's application security
monitoring and this will take you to
your security date your security content
in Splunk Security Essentials with all
the things that are really useful for
risk okay so it's filtering down to
those risk relevant kind of use cases
that can be useful for correlating
against other information that's
probably one of the ways to think about
it risk is really about correlating with
other sort of types of uh events that
might be occurring right so you get
presented back with this
as you would expect from Smart Security
Essentials another way of looking at
this is if you go to analytics advisor
go to risk-based alerting content
recommendations then you can filter down
again either to the content that's
available to you or to all content okay
and you can filter down on specific
applications and certain categories so
in this case I've gone to Cloud security
and maybe I'm pretty presented back with
all those security content that might be
useful for cloud Security in a risk kind
of way okay so that's another way of
getting through the content so it's one
of the kind of important things to
consider uh in the process
now if you want to then go into it what
you can see is in correlation searches
um in Splunk Enterprise security so if
you're coming to configure into content
into content management and then filter
based on correlation searches and
enabled you can see what's actually
running so here I've got some es content
update searches this was AWS console
login from by user from a new city so if
I look in detail at this actual search I
can see it's a normal correlation search
there's nothing sort of groundbreaking
out of here it's looking for anything
that's in a new city from historical
events but it's also then providing a
lot of annotations
so we're annotating with assist 20
controls the kill chain meant to attack
the nest uh the confidence and impact
scores and these are really good at kind
of if you can give an idea of what your
impact and your confidence of each use
case that you've got running that can be
really good way of deciding what score
you should be applying uh and there's a
Blog on our website about kind of uh
aligning those two together to make a
good a good actual risk score
um because it's always an idea of like
how do I risk work at the beginning so
just something to bear in mind
um you can also see the other
annotations in terms of what analytics
story is relevant to and so forth right
so that runs on a particular time window
um and in this case is not throttling at
all but in some cases you might want to
throttle it depends on kind of how you
want to play with your risk scores your
risk use cases right
um sometimes you might be wanting to
observe if it's got internet connection
or something like that sometimes you
want to observe something else and then
what we're doing with the Adaptive
response action so down here we've got
risk analysis we've got a user the
username is logging into the AWS console
from a city for the first time okay and
their risk score is applying 18 points
to that user field
okay so uh that's been defined obviously
based on the confidence score and the
impact score uh how much we want to be
applying and this risk message is really
important okay so if you are doing risk
for the first time do make sure you put
risk messaging and if you can put any
threat objects in because they can kind
of tie everything together as well so
they can be really useful
so one other thing that you can do as a
risk factor editor right so
in terms of risk factors what you can do
is add risk based on certain conditions
right so in this case if that user is an
administrator so if I've got a user in
there it's got 18 points of risk at the
moment but if that user is an admin I.E
they've got a privileged category of
user from my asset identity lists right
um then we can times that factor by one
and a half so it'll actually give 27
points of risk right an extra nine
points added on because that's what it
should do because that's a privileged
account we want to we want to increase
the risk we want to know about any
privileged accounts being of use in this
source so this risk factor editor has a
way of just a dynamically altering the
risk that's being applied out of a rule
on its own based on certain conditions
whether that's a contractor whether
that's a critical priority destination
whatever it is that we're interested in
or maybe their watch list that sort of
thing
um then we can add an increased risk or
decrease or decrease risk if we need to
right so there's a multiplication
addition
um or of course you can multiply by 0.5
to delete and so forth right
so that's how we can do the risk factor
editors they can be a Dynamic Addition
to it
and then once we've got all those
correlations rules set up they're all
applying risk we'll see that data in the
index equals um
index equals risk so let's have a quick
look at that because
so if I go index equals risk I'll see
within here all the different risk
events that are being generated right so
we're taking note of all these different
things they're all got a particular
um stash Source type right which is our
summary and summary Source type from
Splunk out of the box and we can see all
the different sources which are the risk
rules that have been applied and
triggered right so lots of different
things going on in this environment
um so we can search through that and we
can also pin of course to the risk
object
um so we want to browse around
particular risk objects what's been
creating our risk on this particular
risk object can go into that and we can
go into our sources okay so these three
things are occurring on this particular
asset sort of thing right so we can
browse that data it is just sitting
there so if we want to go threat hunting
into risk we can do that
and of course what we then do is we want
to alert on it right when certain
thresholds are hit so what we have here
is a couple of risk uh indicator rules
one's called attack tactic threshold
exceeded for object over previous seven
days there's also a 24-hour risk rule as
well so this is a seven day risk rule
which is looking in the date model for
risk okay and it's alerting if there's
at least three tactics from the miter
involved at least four sources right so
if I looked in the data itself I can see
annotations that might or attack and the
tactics and techniques of data fields
that are in there because of the
annotations that are in the correlation
search themselves
and when I then hit that trigger what I
actually then do is create my notable
and it's at this point that it goes into
instant review I've given it my title to
my description uh I've got a drill down
and all the sort of normal things that
you would have from you know your
previous kind of notable events and how
you would normally previously alert
so that can all be done from there
um and you could make these up for
different things right and you could
weight these things and if you follow
um Hayley Mills kind of Journey to
learning how to implement uh risk-based
alerting right she's got a four stage
Journey some of the things she talks
about is about having Dynamic risk that
you can apply in Risk rules but also
having weighted sources and weighted
tactics and what we mean by that is the
not all Risk rules should apply the same
Source maybe you've got Brute Force
maybe that's not so interesting maybe
excessive power logins maybe that's not
so interesting whatever it is so you can
reduce the weight of that particular
source so that it doesn't hit the
threshold whereas some sources should
count as a full one point some maybe
even two points towards that Source
count so you know each Source could be a
little bit different in that weighting
as well
so that's another way of just kind of
looking in interesting ways
um
yeah so that's the kind of risk
indicator rules and so when that then
alerts what you then see is an incident
review you'll see events that are
presented like this and these are known
as risk notables you can filter based on
type so in this case drill down to type
risk notable and then you'll get
presented with all of them back and you
can see the risk of entering the risk
score so in this case I'm going to just
expand this one to start with to show
you that now that because it's a risk
event I can see all of the miter details
the annotations across the top so I can
get much quicker in insight into what's
actually occurring with this particular
um
asset in this case because that's the
risk object
um so I can see all the different things
that are going on there um I can get all
that sort of useful key information down
the left hand side and anything that's
going on on the right this one's
actually gone directly to saw and
actually been triaged in some respects
already which is why it's in progress
um and then if I click on in Risk events
I'll get a pop-up here
which will show me all of the risk
events all the all the Risk rules that
have triggered related to this
particular device okay so here we can
see six different rest rules here
um over a time period we can zoom in to
further into that we'll zoom out of
course
um so these are the risk events and if I
scroll down to the bottom of the page
you can see all of those in individually
and this when I mentioned why risk
messages are really important because
this is what's actually read to by the
analyst really
um so just making sure there's good
detail in there making sure it shows
what processes or what
um objects are that's actually occurred
to indicate that this is riskier a risky
instance
and you can see the Risk rules of what
has actually triggered and the
annotations as well on the right there
you can filter that down or of course
expand it with a little bit more detail
and then also at the top right you can
go into the threat typology and this is
where we can really link things between
threat objects and risk objects we can
get a little bit more detail around
what's going on so you can see these
things are linked together so this
laptop's also linked to be stole
um so you can see lots of good kind of
insight overview of what's actually
going on across the top and of course
the assets and in its in the asset list
across the top there as well so
um jolly good so that gives us a lot
more insight into what's actually going
on
um our analysts can go yes this is no
bad I want to lock it down I can go
ahead and run my adaptive response
action come in here run an Adaptive
response action from here and block it
or whatever or if it's climbing out into
saw you can get that kind of automated
um as it goes through processes and so
forth so whatever we need to do we can
do a particular Direct
adaptive response from there
and then finally if you really want to
look into it what you have is under
security intelligence risk analysis and
this will go into detail about all the
things that are going in Risk in the
environment right so we've got risk
scores by objects you can see the high
objects you can see most active sources
and this is probably one of the most
important youth dashboard panels you
probably want to expand it out and have
a look over it to see where your risk is
being applied if you come in here and
click search then that will give you a
good idea and then across the top you
can also see all the different
annotations and threat objects that are
involved across my risk and you can
filter everything down as you need to
change the time window and then right at
the bottom you can see all the modifiers
individually in a table tabular format
right but again this is just looking at
the data in the index itself so you can
go ahead and have a look and browse
through it that way
but this is as I say one of the most
useful ones because it gives you kind of
Direction about okay well there's not
particularly hitting many uh risk
objects but applying a lot of risk it's
just repeating itself maybe it's running
too often maybe it needs a bit of
thresholding can kind of give you some
direction of where you want to be
thinking about tuning this uh in this
kind of space okay with that thank you
very much for attending
um I hopefully that bite size
information on risk-based alerting was
useful for you if you do want to find
out any more have any questions just
email invert someone from associates.com
um and if you missed the webinar you can
go to youtube.com and find us there
um but uh yeah hopefully you'll join us
on the fourth uh one was doing Stu in
that case uh on our fourth episode in
the series looking at the threat
intelligence side of things and the
threat framework
5.0 / 5 (0 votes)