https://github.com/splunk/rba
RBA is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts.
https://github.com/splunk/rba
rba splunk splunk-rba
Last synced: 3 months ago
JSON representation
RBA is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts.
- Host: GitHub
- URL: https://github.com/splunk/rba
- Owner: splunk
- Created: 2022-08-26T18:06:30.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2025-08-26T16:35:19.000Z (5 months ago)
- Last Synced: 2025-08-26T23:12:50.286Z (5 months ago)
- Topics: rba, splunk, splunk-rba
- Homepage: https://splunk.github.io/rba/
- Size: 6.65 MB
- Stars: 57
- Watchers: 17
- Forks: 12
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- Contributing: docs/contributing/contributing-guidelines.md
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
README
# RBA all day
[](https://splunk.github.io/rba/)
Welcome to the wonderful world of Risk-Based Alerting!
RBA is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts.
## Documentation
See the web based documentation at https://splunk.github.io/rba/
## Searches
Useful SPL from the RBA community for working with risk events.
## Dashboards
Simple XML or JSON for Splunk dashboards to streamline risk analysis.
## Risk Rules
Splunk's Threat Research Team has an incredible library of over 1000 detections in the Splunk's [Enterprise Security Content Updates](https://research.splunk.com/) library. You can use Marcus Ferrera and Drew Church's awesome [ATT&CK Detections Collector](https://github.com/splunk/attack-detections-collector) to pop out a handy HTML file of relevant ESCU detections for you to align with MITRE ATT&CK.