Detection Engineering II • Room 2

The Risk Threshold

The true power of RBA is the Risk Incident Rule. This is a special correlation search that monitors the total risk score of all objects.

When an object's accumulated score crosses a defined threshold (e.g., > 100) within a time window (e.g., 24 hours), it generates a single high-fidelity Risk Notable.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 1

Why does implementing Risk-Based Alerting (RBA) dramatically reduce analyst alert fatigue?

AIt deletes old logs automatically.

BIt replaces dozens of low-fidelity, noisy alerts with a single, high-fidelity Risk Notable that fires only when a behavior threshold is crossed.

CIt requires less Splunk licensing.

DIt bypasses the need for the CIM.