presos

RBA

RBA is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts. I am SO PASSIONATE about this topic, as most SOCs are overwhelmed with high-volume, low-fidelity alerts, and on top of that, what you can detect with this type of alerting is so much more subtle and advanced.

Risk-Based Alerting: The New Frontier for SIEM
10 minute intro video

Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
discussing the fundamental building blocks of RBA in any context with any tool

Streamlining Analysis of Security Stories with Risk-Based Alerting
my other passion: USER EXPERIENCE DESIGN! and how we can operationalize RBA in Splunk with intuitive dashboarding

Curating your Risk Ecology: Making RBA Magick
getting value out of RBA means careful tuning and pruning, learn how!

Making Friends With Threat Object: Automation, Tuning, and Threat Hunting With Risk-Based Alerting
me and the incredible stuart mcintosh get into leveraging threat object to do super cool shit

Blue Team Academy: Risk and Risk Notables for Analysts
intro to RBA and how to work those notables as a security analyst

Building Behavioral Detections: Cross-Correlating Suspicious Activity with the MITRE ATT&CK™ Framework
the technical underpinnings of the original SA-RBA app’s SPL, before RBA was part of ES 6.4

OTHER STUFFS

CactusCon 10 - How not to suck at CFPs: Real-World Feedback from the CC10 Review Board

Recorded future - Elevate Your SOC: Automation Trends & Best Practices

NEXTEXEC PODCAST - SOLARWINDS BREACH ANALYSIS

Splunk SURGe Coffee Talk 5/2022 - Conti Hits Costa Rica, Cardiologist Ransomware, CISA MSP Alert

Splunk SURGe Coffee Talk 9/2022 - Ukraine, GRU Hactivist Coordination, Network Monitoring, Optus

Splunk SURGe Coffee Talk 9/2023 - Data Leaks, Casino Breaches, Ransom Demands, Big Yellow Taxi

blue team warrior podcast interview

RBA PODCAST - Interview and .Conf23 Recap

FOR NEWBIES

I made a bunch of infosec content designed for *ACTUAL* beginners to learn cybersecurity as I did not find much out there for actual beginners when I was one. You can find it on YouTube and the corresponding curriculum on my LEARN page.

I also really like this talk I did for CodeDay kiddos to talk about how security and incident response works in a large enterprise.

n/s/e/w/u/d/ •♬✧♡* INWARD *♡✧♬•

presos

RBA

Risk-Based Alerting: The New Frontier for SIEM10 minute intro video

Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKdiscussing the fundamental building blocks of RBA in any context with any tool

Streamlining Analysis of Security Stories with Risk-Based Alertingmy other passion: USER EXPERIENCE DESIGN! and how we can operationalize RBA in Splunk with intuitive dashboarding

Curating your Risk Ecology: Making RBA Magickgetting value out of RBA means careful tuning and pruning, learn how!

Making Friends With Threat Object: Automation, Tuning, and Threat Hunting With Risk-Based Alertingme and the incredible stuart mcintosh get into leveraging threat object to do super cool shit

Blue Team Academy: Risk and Risk Notables for Analystsintro to RBA and how to work those notables as a security analyst

Building Behavioral Detections: Cross-Correlating Suspicious Activity with the MITRE ATT&CK™ Frameworkthe technical underpinnings of the original SA-RBA app’s SPL, before RBA was part of ES 6.4