Code Monkey home page Code Monkey logo

rba's Introduction

RBA all day

Docs

Welcome to the wonderful world of Risk-Based Alerting!

RBA is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts.

Documentation

See the web based documentation at https://splunk.github.io/rba/

Searches

Useful SPL from the RBA community for working with risk events.

Dashboards

Simple XML or JSON for Splunk dashboards to streamline risk analysis.

Risk Rules

Splunk's Threat Research Team has an incredible library of over 1000 detections in the Splunk's Enterprise Security Content Updates library. You can use Marcus Ferrera and Drew Church's awesome ATT&CK Detections Collector to pop out a handy HTML file of relevant ESCU detections for you to align with MITRE ATT&CK.

rba's People

Contributors

7thdrxn avatar ccl0utier avatar dcdata-ops avatar dependabot[bot] avatar hettervik avatar matt-snyder-stuff avatar nterl0k avatar zachchristensen28 avatar zachthesplunker avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

nterl0k matt-snyder-stuff patriciaoa rejectedun1corn isabella232 bradlee123 dcdata-ops ghas-results

rba's Issues

[Issue]: Missing CSS/JS files in some dashboards

Description

The attack_matrix_risk.xml dashboard seems to rely (?) on CSS and/or Javascript files that do not seem to be included in this repo.
Can we remove them (if no longer needed) or re-add them?

image

Related links

[Issue]: RBA Data Source Review Dashboard issues

Description

The dashboard seems to have a few issues, for example:

  • Panels are not restricted to Risk Rules, for example, It shows an incorrect count of detections populating the Risk index (which should have the Risk Analysis action enabled), etc. Maybe add AND match('actions',"risk") to the filter of the base search?
  • MITRE extractions (from search?) seem to be broken. Might want to get those from annotations?
  • The dashboard might benefit from simplifying the base search to:
| rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| where disabled=0

... and putting additional logic in the relevant panel search. Otherwise the base search extracts fields that might never be used.

  • The | rest call above could be further optimized by explicitly requesting only the necessary fields, i.e.: | rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches f=field1 f=field2 f=field3

I'm happy to help fix those if that makes sense.

Related links

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.