Skip to content

RBA all day

Welcome to the wonderful world of Risk-Based Alerting!

RBA is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts.


Useful SPL from the RBA community for working with risk events.


Simple XML or JSON for Splunk dashboards to streamline risk analysis.

Risk Rules

Splunk's Threat Research Team has an incredible library of over 1000 detections in the Splunk's Enterprise Security Content Updates library. You can use Marcus Ferrera and Drew Church's awesome ATT&CK Detections Collector to pop out a handy HTML file of relevant ESCU detections for you to align with MITRE ATT&CK.

The RBA Community

The RBA Community
    Join the RBA Community Today!

The RBA Community The RBA Community

The RBA Community is a group of professionals dedicated to advancing the field of risk-based alerting (RBA) and Splunk Enterprise Security (ES). Our mission is to provide a forum for sharing knowledge, best practices, and the latest developments in RBA and ES, and to help professionals enhance their understanding and skills in these areas.

Whether you’re new to RBA and ES or a seasoned pro, The RBA Community has something for everyone. We invite you to join us on this journey to enhance your understanding and expertise in RBA and ES – don’t miss out on this opportunity to learn from the best and connect with other professionals in the field.

Learn more


Want to contribute? See our contributing guidelines.


See discussions and frequently asked questions on our GitHub Discussions board.

Visit Discussion Board

Last update: September 1, 2023
Created: December 22, 2022