Investigation & ES • Room 3

Risk-Based Alerting (RBA)

Traditional alerting fires on every single suspicious event, drowning analysts in noise. Risk-Based Alerting (RBA) takes a fundamentally different approach.

Instead of alerting on each low-fidelity event, RBA attributes a risk score to a Risk Object (a user or system). Only when the accumulated risk crosses a threshold does a single "Risk Notable" fire, dramatically reducing alert fatigue while increasing fidelity.

Risk Notable Flow

Low-fidelity event A (+10 risk) → user "jdoe"
Low-fidelity event B (+15 risk) → user "jdoe"
Low-fidelity event C (+25 risk) → user "jdoe"
→ Threshold (50) exceeded → Risk Notable fires for "jdoe"

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 1

In Risk-Based Alerting, when does a Risk Notable actually fire?

AEvery time any suspicious event occurs.

BWhen the accumulated risk score for a specific entity (Risk Object) exceeds a defined threshold within a time window.

COnly when an analyst manually triggers it.

DAt a scheduled time every morning.