diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring.md index 55137a1da1..e7ae8dfad8 100644 --- a/solutions/security/advanced-entity-analytics/entity-risk-scoring.md +++ b/solutions/security/advanced-entity-analytics/entity-risk-scoring.md @@ -26,7 +26,7 @@ Entity risk scores are determined by the following risk inputs: | [Alerts](../detect-and-alert/manage-detection-alerts.md) | `.alerts-security.alerts-` index alias | | [Asset criticality level](asset-criticality.md) | `.asset-criticality.asset-criticality-` index alias | -The resulting entity risk scores are stored in the `risk-score.risk-score-` data stream alias. +The resulting entity risk scores are stored in the `risk-score.risk-score-` data stream alias, and the latest score for each entity is stored in `risk-score.risk-score-latest-`. ::::{note} Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score. @@ -44,7 +44,7 @@ Entities without any alerts, or with only `Closed` alerts, are not assigned a ri :::: 2. The engine groups alerts by `host.name`, `user.name`, or `service.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity’s [risk summary](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-risk-summary). -3. The engine then verifies the entity’s [asset criticality level](asset-criticality.md). If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity’s risk summary. +3. The engine then verifies the entity’s [asset criticality level](asset-criticality.md). If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine calculates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity’s risk summary. | Asset criticality level | Default risk weight | | --- | --- | @@ -68,6 +68,7 @@ Entities without any alerts, or with only `Closed` alerts, are not assigned a ri | High | 70-90 | | Critical | > 90 | +The risk score is updated every hour based on the configured date and time range, which defaults to 30 days. Each update generates a new score, calculated independently of any previous scores. ::::{dropdown} Click for a risk score calculation example This example shows how the risk scoring engine calculates the user risk score for `User_A`, whose asset criticality level is **Extreme impact**. @@ -93,7 +94,8 @@ To calculate the user risk score, the risk scoring engine: 2. Generates an aggregated risk score of 36.16, and assigns it to `User_A`'s **Alerts** risk category. 3. Looks up `User_A`'s asset criticality level, and identifies it as **Extreme impact**. 4. Generates a new risk input under the **Asset Criticality** risk category, with a risk contribution score of 16.95. -5. Increases the user risk score to 53.11, and assigns `User_A` a **Moderate** user risk level. +5. Adds the asset criticality risk contribution score (16.95) to the aggregated risk score (36.16), and generates a user risk score of 53.11. +6. Assigns `User_A` a **Moderate** user risk level. If `User_A` had no asset criticality level assigned, the user risk score would remain unchanged at 36.16.