The Logic Gate • Room 3

Risk-Based Alerting (RBA)

**Risk-Based Alerting (RBA)** shifts the paradigm from alerting on single events to attributing risk scores to users and systems (Risk Objects).

Instead of 10 low-fidelity alerts creating 10 notable events, 10 low-fidelity alerts attribute +10 risk points to a user. When the user's total risk exceeds a threshold (e.g., 100), a single, high-fidelity notable event is generated.

This drastically reduces alert fatigue.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Write an ES native search to pull the top 5 highest risk objects from the Risk datamodel.

Splunk Search Bar