Risk scoring calculation improvements

solutions/security/advanced-entity-analytics/entity-risk-scoring.md

@@ -26,7 +26,7 @@ Entity risk scores are determined by the following risk inputs:
 | [Alerts](../detect-and-alert/manage-detection-alerts.md) | `.alerts-security.alerts-<space-id>` index alias |
 | [Asset criticality level](asset-criticality.md) | `.asset-criticality.asset-criticality-<space-id>` index alias |
 
-The resulting entity risk scores are stored in the `risk-score.risk-score-<space-id>` data stream alias.
+The resulting entity risk scores are stored in the `risk-score.risk-score-<space-id>` data stream alias, and the latest score for each entity is stored in `risk-score.risk-score-latest-<space-id>`.
 
 ::::{note}
 Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score.
@@ -44,7 +44,7 @@ Entities without any alerts, or with only `Closed` alerts, are not assigned a ri
     ::::
 
 2. The engine groups alerts by `host.name`, `user.name`, or `service.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity’s [risk summary](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-risk-summary).
-3. The engine then verifies the entity’s [asset criticality level](asset-criticality.md). If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity’s risk summary.
+3. The engine then verifies the entity’s [asset criticality level](asset-criticality.md). If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine calculates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity’s risk summary.
 
     | Asset criticality level | Default risk weight |
     | --- | --- |
@@ -68,6 +68,7 @@ Entities without any alerts, or with only `Closed` alerts, are not assigned a ri
     | High | 70-90 |
     | Critical | > 90 |
 
+The risk score is updated every hour based on the configured date and time range, which defaults to 30 days. Each update generates a new score, calculated independently of any previous scores.
 
 ::::{dropdown} Click for a risk score calculation example
 This example shows how the risk scoring engine calculates the user risk score for `User_A`, whose asset criticality level is **Extreme impact**.
@@ -93,7 +94,8 @@ To calculate the user risk score, the risk scoring engine:
 2. Generates an aggregated risk score of 36.16, and assigns it to `User_A`'s **Alerts** risk category.
 3. Looks up `User_A`'s asset criticality level, and identifies it as **Extreme impact**.
 4. Generates a new risk input under the **Asset Criticality** risk category, with a risk contribution score of 16.95.
-5. Increases the user risk score to 53.11, and assigns `User_A` a **Moderate** user risk level.
+5. Adds the asset criticality risk contribution score (16.95) to the aggregated risk score (36.16), and generates a user risk score of 53.11.
+6. Assigns `User_A` a **Moderate** user risk level.
 
 If `User_A` had no asset criticality level assigned, the user risk score would remain unchanged at 36.16.