[Internal]: Retain risk scores configuration setting #3417
Description
Description
The Entity Analytics Risk scoring feature now includes a new configuration setting that allows entity risk scores to automatically "reset" back to zero in situations where there are no new inputs found for that entity.
Copy suggestion
Please feel free to use this copy suggestion as a base, with any changes as desired:
BEFORE:
Residual risk score
In some cases, entities can retain a residual risk score:
- If all alerts for an entity are closed
- If all of the entity’s open alerts fall outside of the configured date and time range
In these situations, the entity retains its last computed risk score until a new alert causes the score to be recalculated.
AFTER:
Residual risk score
The entity risk scoring feature can be configured to retain a residual risk score by enabling the "Retain previously calculated risk scores" option within the Entity Risk Scoring management screen. Following the 9.2 release, this functionality is disabled by default when first turning on the risk engine.
If enabled, the most recently calculated risk score for an entity will be retained:
- If all alerts for an entity are closed
- If all of the entity’s open alerts fall outside of the configured date and time range
In these situations, the entity retains its last computed risk score until a new input (i.e., alert) causes the score to be recalculated.
Resources
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
N/A
What release is this request related to?
9.2
Serverless release
Likely to coincide with 9.2 release
Collaboration model
The documentation team
Point of contact.
Engineering contacts: @jaredburgettelastic @tiansivive
Product contacts: Erik Huang
Documentation contact: @natasha-moore-elastic