[Internal]: Security Entity Analytics risk scoring - Residual risk confusion #2705
Description
Description
Overview
There have been two customer SDH tickets that have come in, in which customers are confused about Entity Analytics risk scoring under the following circumstances:
- An entity was previously scored based on its open alerts, and later all of the alerts for that entity were closed
- An entity was previously scored, but all of its open alerts fell outside of the "lookback window"
In either of the cases above, the behavior that the entity risk engine currently has is that these entities will retain a "residual risk", which means it will continue to have the last computed risk score from then on, until a new alert causes it to be recomputed.
Some customers do not expect this behavior, and instead expect that the entity's risk score will reset to zero in these situations on the next run of the engine.
To remedy this, we will do two things:
- Document this behavior in the existing docs, to reduce customer confusion
- In an upcoming version of Elastic security (currently targeting 9.2), we will introduce a "reset to zero" option for customers to configure, if desired
This current docs-content ticket only covers the first of these remedies.
Proposed documentation update
An example of how we might update the docs can be found below. However, please feel free to use your best judgment.
At the bottom of the main Entity risk scoring docs page (suggestion in bold):
The risk score is updated every hour based on the configured date and time range, which defaults to 30 days. Each update generates a new score, calculated independently of any previous scores. For a given entity, when all alerts have fallen out of the configured date and time range, or if all alerts have been closed, the entity will retain a residual risk of the most recently computed score.
Resources
N/A
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
N/A
What release is this request related to?
N/A
Serverless release
N/A
Collaboration model
The documentation team
Point of contact.
Main contact: @jaredburgettelastic @hop-dev
Docs team contact: @natasha-moore-elastic