Back to Floor
The SOC Gauntlet • Room 3
Scenario: RBA Threshold Tuning
**Scenario:** Your SOC is overwhelmed. The Risk Notable Event ("Risk Threshold Exceeded") is firing 200+ times per day. Analysis shows that most high-risk objects are service accounts running automated scans.
You need to: 1) Identify the noisy risk rules contributing the most score 2) Create suppression entries for known-good service accounts 3) Adjust the risk threshold from 100 to 150 for the "Risk Threshold Exceeded" correlation search.
This is the art of **tuning** — reducing false positives without creating blind spots.
Knowledge Check
Prove your understanding to clear the room (Rewards XP)
Explain RBA tuning strategy.
To reduce false positives, create ______ entries for known-good service accounts and adjust the risk ______ in the correlation search configuration.