[Internal]: Security Entity Analytics risk scoring - Building block alertsΒ #2706
Description
Description
Overview
We've gotten customer inquiries on whether alerts that are "building block" alerts behave differently with regards to Entity Analytics risk scoring. In fact, they behave exactly the same as "normal" alerts from the risk scoring perspective. We should document this for better clarity.
Proposed documentation update
An example of how we might update the docs can be found below. However, please feel free to use your best judgment.
In the section titled "How is risk score calculated?", we could very simply add the following (suggestion in bold):
The risk scoring engine runs hourly to aggregate Open and Acknowledged alerts from the last 30 days, including building block alerts. For each entity, the engine processes up to 10,000 alerts.
Note
An aside:
"How is risk score calculated?" sounds a little awkward. Should we change this? Maybe "How are risk scores calculated?"?
Resources
N/A
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
N/A
What release is this request related to?
N/A
Serverless release
N/A
Collaboration model
The documentation team
Point of contact.
Main contact: @jaredburgettelastic @hop-dev
Docs contact: @natasha-moore-elastic