https://github.com/apger/SA-RBA

Risk Based Alerting Supporting Add-On (SA) for Splunk
https://github.com/apger/SA-RBA

Last synced: 12 days ago
JSON representation

Risk Based Alerting Supporting Add-On (SA) for Splunk

• Host: GitHub
• URL: https://github.com/apger/SA-RBA
• Owner: apger
• Created: 2019-12-04T20:17:18.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2021-10-28T22:25:42.000Z (over 2 years ago)
• Last Synced: 2024-03-04T15:33:22.071Z (4 months ago)
• Language: Python
• Homepage:
• Size: 1.32 MB
• Stars: 44
• Watchers: 12
• Forks: 9
• Open Issues: 2
• Metadata Files:
  • Readme: README.md

Lists

• awesome-es - SA-RBA - Solution AddOn for ES, adds custom visualisations and correlation searches for RBA. (Risk Based Alerting)

README

        
# SA-RBA (DEPRECATED)

This reference app is no longer supported but fear not, RBA is still thriving.  The mechanics detailed in this app are now built into Splunk Enterprise Security and fully supported as of version 6.6.

The Investigative dashboards that are shown off in the Splunk RBA demo are an often requested artifact and I posted them here:  https://github.com/apger/RBA-ES6.6-Demo-Dashboards

## Dependencies

URL Toolbox: https://splunkbase.splunk.com/app/2734/

Semicircle Donut Chart Viz: https://splunkbase.splunk.com/app/4378/

Network Diagram Viz: https://splunkbase.splunk.com/app/4438/

Sankey Diagram - Custom Visualization:  https://splunkbase.splunk.com/app/3112/

Event Timeline Viz: https://splunkbase.splunk.com/app/4370/

## Note on proxy usage

azerty728 correctly pointed out in one of the previous issues that the genmitrelookup script runs just fine through a locally configured proxy when a single line (import os) is added to the underlying python script. That fix has been added and tested against these Splunk best practice for configuring a proxy:  https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/ConfigureSplunkforproxy OR https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/Serverconf.