Highland Defense Risk Based Alerting

Executive Knowledge base


What is Risk Based Alerting?

Risk Based Alerting (RBA) in Splunk® ES is a framework for threat detection and alerting. The key differentiators between RBA and traditional alerting are:

  • The evolution from one-to-one alerting to many-to-one alerting, related by object.

  • The evolution from alerting on events or IOCs to alerting on behaviors (a series of events & IOCs).

Back to top


How does Risk Based Alerting work in Splunk ES?

In RBA – the searches – or “Risk Rules” - are detecting anomalies, then recording the search results (log events) to the Risk Index inside of Splunk ES.  A risk score is calculated for each event as well, and attached to associated objects found in the event (e.g. user or system).

Then a separate set of searches – called “Risk Incident Rules” or “Risk Notable Rules” - mine the risk index full of anomalous events and potential threat activities.  When an object is found with enough risk events during one of these searches, that is when a notable is created in Splunk ES.  The most common alerting threshold is aggregate risk score, but notables can also be generated for other conditions such as variety of MITRE ATT&CK® tactics observed.

Back to top


So RBA is a just a new feature in Splunk ES?

Yes and No.  Risk Based alerting can be a fundamental shift in how you detect and alert on threats. Its first and foremost a framework that's built and scaled using first principles. 

  • The framework provides a shared vocabulary that tracks throughout the entire Identify, Protect, Detect, Respond, Recover lifecyle. 

  • The shared vocabulary and transparency allows security teams to align objectives.  With shared priorities, all of the security teams are able to work more efficiently and effectively together. 

  • The end result is metrics and performance improvements of 10x or more.

Back to Top


What does Highland Defense actually do?

Highland Defense is a Splunk partner. We have three core offerings:

  1. Distribute and support our OutpostRBA premium Splunk App

  2. Implementation and training services for our Splunk App

  3. Provide professional services for Splunk and Splunk ES as experts in threat detection, security operations and Splunk.

Back to Top


What are the first principles that OutpostRBA is built on?

OutpostRBA is built on three first principles:

  1. Expand - look at more data with broader detections.

  2. Relate - around objects - allowing you to realize a "many-to-one" efficiency at large scale.

  3. Enrich - use the expanded data and relationships to automatically show depth of context to each alert - including related objects and their context.

Back to top


When did Risk Based Alerting become a thing?

Splunk released their first embedded RBA features in Enterprise Security 6.5 in late 2020.  Before that, a number of Splunk customers were using a publicly available Splunk App (SA_RBA) that was downloaded from GitHub.

Back to top


How long has Highland Defense been working with RBA?

Our co-founder and CTO, Stuart McIntosh, gave the first RBA in Splunk ES talk at .conf2018. In 2019, we founded Highland Defense (originally Outpost Security) to deliver RBA as a supported Splunk App. 

Highland Defense made a significant contribution to programming the SA_RBA App.  Since then we have released a proprietary Splunk App that extends the capabilities of Splunk ES RBA.  To date over 500,000 users are being alerted on daily in multiple Fortune 500 environments.

Back to top


Why would I use the OutpostRBA App instead of RBA In Splunk ES?

While there are RBA fundamentals built into RBA in Splunk ES - large and complex environments will require advanced techniques and custom programming to implement Risk Based Alerting in your SOC.

OutpostRBA is a Splunk App that includes all of the advanced features and workflows that will make RBA effective in your large environment, saving you months of programming and effort to deploy.

We pair that with a proven implementation method, modifications per your specifications, and multiple trainings for your Splunk and security teams to make Risk Based Alerting the fully functioning foundation of your detection and alerting program in about 3 months.

Back to top


Why would I use Splunk RBA in ES if OutpostRBA is a more complete solution?

While Splunk ES RBA has some limitations, it is an excellent start to your journey in implementing Risk Based Alerting in your organization.  In our experience, if you are writing less than 100,000 risk events to the risk index per week (your detections are generating less than 100,000 events), you should run into minimal scale and complexity issues that can be solved easily.

Back to top


Why Splunk ES?

Splunk ES offers core functionality that is either not found in other SIEMs or not easy to leverage (i.e. requires non-native programming/functionality)

  • Ability to combine data across sources.

  • Ability to normalize data to make the source technologies interchangeable.

  • Ability to incorporate foundational data (assets, identities, threat intel) using a common framework.

Back to top


What Fortune 500’s have you worked with?

We don't publicly disclose that, but we are happy to connect you with our satisfied customers from those companies as well as RSMs and SEs at Splunk.

Back to top


Where do companies make mistakes in implementing RBA?

Because RBA is such a foundational shift (when implemented fully), it's difficult to  be successful without going "all-in".  Specifically we see Splunk customers make 3 major mistakes early in their RBA journey.

  1. Failure to properly normalize assets, identities, and log data.

  2. View RBA as just a technology or "new detection method" only.

  3. Attempt to "game the system" by putting too much weight or not enough on individual event risk scores.

Back to top


What about automation - won't that eliminate the need for RBA?

Security Automation has huge potential in solving a multitude of challenges facing security teams.  RBA actually makes automation faster, easier, and more robust.  The alerts RBA generates are highly structured, with rich context, allowing universal playbooks to run effectively - minimizing overhead and maintenance required from the automation engineers.

Back to top


I have all of these legacy systems, do I need to worry about those before I can change my alerting methodology?

With Splunk and Outpost RBA - we can absorb the data from your legacy systems, and give you the opportunity to cutover to new systems seamlessly without security gaps or overhaul of the SIEM and your existing detections.

Back to top


I'm getting less and less value from my MSSP -  can I get rid of them with rBA?

Yes - OutpostRBA implementation allows you to become exponentially more self reliant without adding staff.  By eliminating L1 alerts your MSSP won't have much left to do (except maybe cover nights & weekends).

Back to top


Does the OutpostRBA Splunk App work on cloud?

Yes. Every version of our App is validated by Splunk App Inspect and we are happy to share the inspection report with you.

Back to top