"Splunk"
- Splunk Risk-Based Alerting:從 alert per rule 到 score-aggregated notable
Splunk Enterprise Security 的 RBA 方法論:risk score / modifier / notable 三層 model、ES 配置 step-by-step、tuning playbook(false positive / score inflation / threshold drift / decay)、capacity 成本、跟 SOAR + case management 整合
- Splunk → Elastic Security Detection Rule Migration:6 段 phased playbook 跟 5 大踩雷
從 Splunk Enterprise Security 遷到 Elastic Security 的 detection rule translation playbook:SPL ↔ KQL/ES|QL schema 對位、AI-assisted translation pipeline、parallel run 比對、cutover routing、5 個 production 踩雷(macro 沒對應 / time zone 差異 / summary index 不對位 / alert dedup key 衝突 / 過早 decommission)、capacity / cost 對照