diff --git a/solutions/images/security-turn-on-risk-engine.png b/solutions/images/security-turn-on-risk-engine.png index 4bc05a67e0..20053dad6a 100644 Binary files a/solutions/images/security-turn-on-risk-engine.png and b/solutions/images/security-turn-on-risk-engine.png differ diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring.md index 0bf1b2e3e0..e5791729d9 100644 --- a/solutions/security/advanced-entity-analytics/entity-risk-scoring.md +++ b/solutions/security/advanced-entity-analytics/entity-risk-scoring.md @@ -80,7 +80,11 @@ In some cases, entities can retain a residual risk score: * If all alerts for an entity are closed * If all of the entity’s open alerts fall outside of the configured date and time range -In these situations, the entity retains its last computed risk score until a new alert causes the score to be recalculated. +{applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` By default, in these scenarios, entity risk scores are reset to zero if there are no new inputs. If, instead, you want entities to retain their last calculated risk score, select the **Retain previously calculated risk scores** checkbox on the [Entity risk score page](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md#_turn_on_the_latest_risk_engine). + +:::{note} +In versions 9.1 and earlier, residual risk scores are retained by default. This means that each entity keeps its last computed risk score until a new alert triggers a recalculation. +::: ::::{dropdown} Click for a risk score calculation example This example shows how the risk scoring engine calculates the user risk score for `User_A`, whose asset criticality level is **Extreme impact**. diff --git a/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md b/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md index 1c2ae9b91c..58fad3a45a 100644 --- a/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md +++ b/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md @@ -28,24 +28,25 @@ The preview is limited to two risk scores per {{kib}} instance or serverless pro :::: -To preview risky entities, find **Entity Risk Score** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +To preview risky entities, find **Entity risk score** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). ## Turn on the latest risk engine [_turn_on_the_latest_risk_engine] ::::{note} * To view risk score data, you must have alerts generated in your environment. -* In {{stack}}, if you previously installed the original user and host risk score modules, and you’re upgrading to {{stack}} version 8.11 or newer, refer to [Upgrade to the latest risk engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md#upgrade-risk-engine). +* In {{stack}}, if you previously installed the original user and host risk score modules, and you’re upgrading to {{stack}} version 9.0 or later, refer to [Upgrade to the latest risk engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md#upgrade-risk-engine). :::: If you’re installing the risk scoring engine for the first time: -1. Find **Entity Risk Score** in the navigation menu. -2. On the **Entity Risk Score** page, turn the toggle on. - -You can also choose to include `Closed` alerts in risk scoring calculations and specify a date and time range for the calculation. +1. Find **Entity risk score** in the navigation menu or using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. On the **Entity risk score** page, turn the toggle on. +3. {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` Choose whether to retain [residual risk scores](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md#residual-risk-score). +4. Choose whether to include `Closed` alerts in risk scoring calculations. +5. Optionally, specify a date and time range for the calculation. :::{image} /solutions/images/security-turn-on-risk-engine.png :alt: Turn on entity risk scoring @@ -58,7 +59,7 @@ You can also choose to include `Closed` alerts in risk scoring calculations and stack: ``` -If you upgraded to 8.11 from an earlier {{stack}} version, and you have the original risk engine installed, you can upgrade to the latest risk engine. You will be prompted to upgrade in places where risk score data exists, such as: +If you upgraded to 9.0 or later from an earlier {{stack}} version, and you have the original risk engine installed, you can upgrade to the latest risk engine. You will be prompted to upgrade in places where risk score data exists, such as: * The Entity Analytics dashboard * The **User risk** tab on the Users page @@ -71,7 +72,7 @@ If you upgraded to 8.11 from an earlier {{stack}} version, and you have the orig :screenshot: ::: -1. Click **Manage** in the upgrade prompt, or find **Entity Risk Score** in the navigation menu. +1. Click **Manage** in the upgrade prompt, or find **Entity risk score** in the navigation menu. 2. On the Entity Risk Score page, click **Start update** next to the **Update available** label. :::{image} /solutions/images/security-risk-score-start-update.png