From 2eaae97d87eab1918f14e485063e52409897b81c Mon Sep 17 00:00:00 2001 From: Zachary Christensen Date: Thu, 12 Sep 2024 20:18:28 -0600 Subject: [PATCH] added uba-lite to navigation Signed-off-by: Zachary Christensen --- docs/searches/index.md | 6 +++++- docs/searches/uba-lite_with_statistics.md | 2 +- mkdocs.yml | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/searches/index.md b/docs/searches/index.md index 5b48908..ca2845e 100644 --- a/docs/searches/index.md +++ b/docs/searches/index.md @@ -50,4 +50,8 @@ One of the great features in RBA is knowing how often something has occurred in ## [Threat Object Types](./threat_object_types.md) -Increasing the number of threat object types you track in Risk Rules can be really helpful for tuning noisy alerts, threat hunting on anomalous combinations, and automating SOAR enrichment to unique threat object types. Haylee and Stuart's [Threat Object Fun dashboards](https://splunkbase.splunk.com/app/6917){ target="blank" } can be helpful for all three. \ No newline at end of file +Increasing the number of threat object types you track in Risk Rules can be really helpful for tuning noisy alerts, threat hunting on anomalous combinations, and automating SOAR enrichment to unique threat object types. Haylee and Stuart's [Threat Object Fun dashboards](https://splunkbase.splunk.com/app/6917){ target="blank" } can be helpful for all three. + +## [UBA-lite with Basic Statistics](./uba-lite_with_statistics.md) + +By comparing entity activity against itself or entities in a peer group (IE business unit, asset category, etc), you can create rules that offer anomaly detection capabilities similar to a UBA/UEBA solution. \ No newline at end of file diff --git a/docs/searches/uba-lite_with_statistics.md b/docs/searches/uba-lite_with_statistics.md index 11f608e..e7f8287 100644 --- a/docs/searches/uba-lite_with_statistics.md +++ b/docs/searches/uba-lite_with_statistics.md @@ -1,6 +1,6 @@ # UBA-lite with Basic Statistics -By comparing entity activity against itself or entities in a peer group (IE business unit, asset category, etc), you can create rules that offer anomaly detection capabilities similar to a UBA/UEBA solution. In RBA, you might use this as rules that generate risk events, or a field to use as a risk factor, or even just tags for the entity so that when you're investigating a risk-based alert you have an idea that this entity has been behaving erratically compared to various standards of behavior. Also please consider using the incredible step-by-step guided mode of the [Splunk App for Behavioral Profiling](https://splunkbase.splunk.com/app/6980) by Josh Cowling, Rupert Truman, and Premkumar Vyas; it's incredible! +By comparing entity activity against itself or entities in a peer group (IE business unit, asset category, etc), you can create rules that offer anomaly detection capabilities similar to a UBA/UEBA solution. In RBA, you might use this as rules that generate risk events, or a field to use as a risk factor, or even just tags for the entity so that when you're investigating a risk-based alert you have an idea that this entity has been behaving erratically compared to various standards of behavior. Also please consider using the incredible step-by-step guided mode of the [Splunk App for Behavioral Profiling](https://splunkbase.splunk.com/app/6980){ target="_blank" } by Josh Cowling, Rupert Truman, and Premkumar Vyas; it's incredible! ## Example: Event Count Variance per Category by Risk Object diff --git a/mkdocs.yml b/mkdocs.yml index 7b7b2e6..f3cdf3c 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -121,6 +121,7 @@ nav: - Risk Notable History: searches/risk_notable_history.md - Threat Object Prevalence: searches/threat_object_prevalence.md - Threat Object Types: searches/threat_object_types.md + - UBA-lite with Basic Statistics: searches/uba-lite_with_statistics.md - Dashboards: - dashboards/index.md - ATT&CK Matrix Risk: dashboards/attack_matrix_risk.md