Modifying risk incident rules based on the search results
Modify the risk incident rules based on the search results prior to deploying risk-based alerting in a production environment.
Note: Initially, RBA might lead to more alerts. While this seems counter-intuitive, it helps you to improve the risk index and fine tune alerts. As an analyst, you must invest time to curate your risk index and identify how to customize RBA to your unique needs over time.
You can assign a low risk score to the risk incident rule, so that it rarely generates alerts if you determine that it represents a low threat. The risk scores associated with assets and identities represent only a single component within the detection process and the risk notable searches that the analyst tunes based on prior experience and knowledge helps to construct stories that can detect threats, prioritize investigations, run adversary simulations, and define threat hunting perspectives.