Detection Engineering II • Room 1

Risk Rules & Modifiers

Risk-Based Alerting (RBA) fundamentally changes SIEM alerting. Instead of creating a Notable Event directly, a Risk Rule creates a Risk Modifier.

The modifier assigns a numerical score (e.g., +20) to a Risk Object (a user or system) based on a low-fidelity event (like an encoded PowerShell command).

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Drag items to their correct zone (or tap item then tap zone on mobile)

The entity accumulating risk score (e.g., user "jsmith")

The numerical value added to the object

The rule that creates the score based on an event

The final high-fidelity alert generated

Risk Object

Risk Score

Risk Rule

Risk Notable