Skip to content

Commit 590f856

Browse files
mergify[bot]natasha-moore-elasticgithub-actions[bot]
authored
[8.x] Risk score calculation for closed alerts (backport #6271) (#6367)
* Risk score calculation for closed alerts (#6271) * Risk score calculation for closed alerts * Updates screenshots (cherry picked from commit 19e3484) # Conflicts: # docs/serverless/advanced-entity-analytics/entity-risk-scoring.asciidoc # docs/serverless/advanced-entity-analytics/turn-on-risk-engine.asciidoc # docs/serverless/images/turn-on-risk-engine/preview-risky-entities.png # docs/serverless/images/turn-on-risk-engine/turn-on-risk-engine.png * Delete docs/serverless directory and its contents --------- Co-authored-by: natasha-moore-elastic <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
1 parent 78c6623 commit 590f856

File tree

4 files changed

+5
-1
lines changed

4 files changed

+5
-1
lines changed

docs/advanced-entity-analytics/entity-risk-scoring.asciidoc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,8 @@ NOTE: Entities without any alerts, or with only `Closed` alerts, are not assigne
3737
== How is risk score calculated?
3838

3939
. The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts.
40+
+
41+
NOTE: When <<turn-on-risk-engine, turning on the risk engine>>, you can choose to also include `Closed` alerts in risk scoring calculations.
4042

4143
. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<host-risk-summary, risk summary>>.
4244

docs/advanced-entity-analytics/images/preview-risky-entities.png

37.7 KB
Loading

docs/advanced-entity-analytics/images/turn-on-risk-engine.png

12.6 KB
Loading

docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,9 @@ image::images/preview-risky-entities.png[Preview of risky entities]
2929
If you're installing the risk scoring engine for the first time:
3030

3131
. Find **Entity Risk Score** in the navigation menu.
32-
. Turn the **Entity risk score** toggle on.
32+
. On the **Entity Risk Score** page, turn the toggle on.
33+
34+
You can also choose to include `Closed` alerts in risk scoring calculations and specify a date and time range for the calculation.
3335

3436
[role="screenshot"]
3537
image::images/turn-on-risk-engine.png[Turn on entity risk scoring]

0 commit comments

Comments
 (0)