Splunk was extremely quick with posting the slides and audio from all of the .conf sessions. We wanted to provide the link to the talk we gave on what we learned after implementing a risk Based Approach (RBA) in production as well as processing over 15k RBA alerts. We hope it provides insight and ideas for others who choose this path.

SEC1908 - Tales From a Threat Team: Lessons and Strategies for Succeeding with a Risk-Based Approach

We also want to highlight the RBA work that others are sharing:

• SEC1538 - Getting Started with Risk-Based Alerting and MITRE

• SEC1803 - Modernize and Mature Your SOC with Risk-Based Alerting

• SEC1556 - Building Behavioral Detections: Cross-Correlating Suspicious Activity with the MITRE ATT&CK™ Framework

And of course Stuart & Jim’s orginal RBA talk in 2018:

SEC1479 - Say Goodbye to Your Big Alert Pipeline, and Say Hello to Your New Risk-Based Approach