Update this_then_that_alerts.md

Added Ryan Moss' analytic stories conf talk
splunk · Apr 15, 2024 · cb043c9 · cb043c9
1 parent 84e26f3
commit cb043c9
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/docs/searches/this_then_that_alerts.md b/docs/searches/this_then_that_alerts.md
@@ -15,6 +15,8 @@ index=risk sourcetype=stash search_name="Search1" OR search_name="Search2"
 
 The benefit of not doing this in a single search is you still have the individual risk events as useful observations, and then can add more risk when observed together, or tweak risk down for noisy events without "allowlisting" altogether.
 
+[Ryan Moss from Verizon also spoke about using Analytic Stories with RBA](https://conf.splunk.com/files/2023/recordings/SEC1402A.mp4) which is another excellent method for low volume, high fidelity chained detections.
+
 ---
 <small>Authors</small>
 
@@ -23,4 +25,4 @@ The benefit of not doing this in a single search is you still have the individua
         <img class="github-avatar" src="https://avatars.githubusercontent.com/u/12771156?v=4){ class="github-avatar"/>
     </a>
     <span class="zts-tooltip-text">@7thdrxn - Haylee Mills</span>
-</div>
+</div>