Keep standard alerts when migrating to RBA #26

ZachTheSplunker · 2023-01-10T03:02:44Z

ZachTheSplunker
Jan 10, 2023
Maintainer

Question from "The Office" Hours meetup

When you implement RBA, do you still keep standard alerts or are all of the Correlation Searches moved to RBA? And if you keep some standard alerts, why?

ZachTheSplunker · 2023-01-10T03:06:38Z

ZachTheSplunker
Jan 10, 2023
Maintainer Author

Answer from "The Office" Hours meetup

The standard or "traditional" correlation searches can still provide value on high fidelity, low volume alerts. An excellent example is if you need to be notified immediately if a specific PowerShell command is run in your environment. These standard alerts work best if they are directly actionable. If they are not and they produce a lot of noise, this could be a good candidate for a Risk Rule in RBA.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Keep standard alerts when migrating to RBA #26

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Keep standard alerts when migrating to RBA #26

ZachTheSplunker Jan 10, 2023 Maintainer

Replies: 1 comment

ZachTheSplunker Jan 10, 2023 Maintainer Author

ZachTheSplunker
Jan 10, 2023
Maintainer

ZachTheSplunker
Jan 10, 2023
Maintainer Author