Risk score calculation for closed alerts (#6271)

* Risk score calculation for closed alerts

* Updates screenshots

(cherry picked from commit 19e3484)

# Conflicts:
#	docs/serverless/advanced-entity-analytics/entity-risk-scoring.asciidoc
#	docs/serverless/advanced-entity-analytics/turn-on-risk-engine.asciidoc
#	docs/serverless/images/turn-on-risk-engine/preview-risky-entities.png
#	docs/serverless/images/turn-on-risk-engine/turn-on-risk-engine.png

Author: natasha-moore-elastic

docs/advanced-entity-analytics/entity-risk-scoring.asciidoc

@@ -37,6 +37,8 @@ NOTE: Entities without any alerts, or with only `Closed` alerts, are not assigne
 == How is risk score calculated?
 
 . The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts.
++
+NOTE: When <<turn-on-risk-engine, turning on the risk engine>>, you can choose to also include `Closed` alerts in risk scoring calculations.
 
 . The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<host-risk-summary, risk summary>>.
 

docs/advanced-entity-analytics/images/preview-risky-entities.png

@@ -29,7 +29,9 @@ image::images/preview-risky-entities.png[Preview of risky entities]
 If you're installing the risk scoring engine for the first time:
 
 . Find **Entity Risk Score** in the navigation menu.
-. Turn the **Entity risk score** toggle on.
+. On the **Entity Risk Score** page, turn the toggle on.
+
+You can also choose to include `Closed` alerts in risk scoring calculations and specify a date and time range for the calculation.
 
 [role="screenshot"]
 image::images/turn-on-risk-engine.png[Turn on entity risk scoring]

docs/advanced-entity-analytics/images/turn-on-risk-engine.png

@@ -0,0 +1,120 @@
+[[security-entity-risk-scoring]]
+= Entity risk scoring
+
+// :description: Learn about the risk scoring engine and its features.
+// :keywords: serverless, security, overview, analyze
+
+
+Entity risk scoring is an advanced {elastic-sec} analytics feature that helps security analysts detect changes in an entity's risk posture, hunt for new threats, and prioritize incident response.
+
+Entity risk scoring allows you to monitor risk score changes of hosts and users in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host and user risk scores from the last 30 days.
+
+It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all {elastic-sec} use cases, and allows you to customize and control how and when risk is calculated.
+
+[discrete]
+[[security-entity-risk-scoring-risk-scoring-inputs]]
+== Risk scoring inputs
+
+Entity risk scores are determined by the following risk inputs:
+
+|===
+| Risk input | Storage location
+
+| <<security-alerts-manage,Alerts>>
+| `.alerts-security.alerts-<space-id>` index alias
+
+| <<security-asset-criticality,Asset criticality level>>
+| `.asset-criticality.asset-criticality-<space-id>` index alias
+|===
+
+The resulting entity risk scores are stored in the `risk-score.risk-score-<space-id>` data stream alias.
+
+[NOTE]
+====
+Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score.
+====
+
+[discrete]
+[[security-entity-risk-scoring-how-is-risk-score-calculated]]
+== How is risk score calculated?
+
+. The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts.
++
+NOTE: When <<security-turn-on-risk-engine, turning on the risk engine>>, you can choose to also include `Closed` alerts in risk scoring calculations.
+. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<security-hosts-overview-host-risk-summary,risk summary>>.
+. The engine then verifies the entity's <<security-asset-criticality,asset criticality level>>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary.
++
+|===
+| Asset criticality level| Default risk weight
+
+| Low impact
+| 0.5
+
+| Medium impact
+| 1
+
+| High impact
+| 1.5
+
+| Extreme impact
+| 2
+|===
++
+[NOTE]
+====
+Asset criticality levels and default risk weights are subject to change.
+====
+. Based on the two risk inputs, the risk scoring engine generates a single entity risk score of 0-100. It assigns a risk level by mapping the risk score to one of these levels:
++
+|===
+| Risk level| Risk score
+
+| Unknown
+| < 20
+
+| Low
+| 20-40
+
+| Moderate
+| 40-70
+
+| High
+| 70-90
+
+| Critical
+| > 90
+|===
+
+.Click for a risk score calculation example
+[%collapsible]
+=====
+This example shows how the risk scoring engine calculates the user risk score for `User_A`, whose asset criticality level is **Extreme impact**.
+
+There are 5 open alerts associated with `User_A`:
+
+* Alert 1 with alert risk score 21
+* Alert 2 with alert risk score 45
+* Alert 3 with alert risk score 21
+* Alert 4 with alert risk score 70
+* Alert 5 with alert risk score 21
+
+'''
+
+To calculate the user risk score, the risk scoring engine:
+
+. Sorts the associated alerts in descending order of alert risk score:
++
+** Alert 4 with alert risk score 70
+** Alert 2 with alert risk score 45
+** Alert 1 with alert risk score 21
+** Alert 3 with alert risk score 21
+** Alert 5 with alert risk score 21
+. Generates an aggregated risk score of 36.16, and assigns it to `User_A`'s **Alerts** risk category.
+. Looks up `User_A`'s asset criticality level, and identifies it as **Extreme impact**.
+. Generates a new risk input under the **Asset Criticality** risk category, with a risk contribution score of 16.95.
+. Increases the user risk score to 53.11, and assigns `User_A` a **Moderate** user risk level.
+
+If `User_A` had no asset criticality level assigned, the user risk score would remain unchanged at 36.16.
+=====
+
+Learn how to <<security-turn-on-risk-engine,turn on the risk scoring engine>>.

docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc

@@ -0,0 +1,51 @@
+[[security-turn-on-risk-engine]]
+= Turn on the risk scoring engine
+
+// :description: Start generating host and user risk scores.
+// :keywords: serverless, security, how-to, manage
+
+++++
+<titleabbrev>Turn on risk scoring</titleabbrev>
+++++
+
+
+.Requirements
+[NOTE]
+====
+To use entity risk scoring, you must have the appropriate user role. For more information, refer to <<security-ers-requirements>>.
+====
+
+[discrete]
+[[security-turn-on-risk-engine-preview-risky-entities]]
+== Preview risky entities
+
+You can preview risky entities before installing the risk engine. The preview shows the riskiest hosts and users found in the 1000 sampled entities during the time frame selected in the date picker.
+
+[NOTE]
+====
+The preview is limited to two risk scores per serverless project.
+====
+
+To preview risky entities, go to **Project settings** → **Management** → **Entity Risk Score**:
+
+[role="screenshot"]
+image::images/turn-on-risk-engine/preview-risky-entities.png[Preview of risky entities]
+
+[discrete]
+[[security-turn-on-risk-engine-turn-on-the-risk-engine]]
+== Turn on the risk engine
+
+[NOTE]
+====
+To view risk score data, you must have alerts generated in your environment.
+====
+
+If you're installing the risk scoring engine for the first time:
+
+. Go to **Project settings** → **Management** → **Entity Risk Score**.
+. On the **Entity Risk Score** page, turn the toggle on.
+
+You can also choose to include `Closed` alerts in risk scoring calculations and specify a date and time range for the calculation.
+
+[role="screenshot"]
+image::images/turn-on-risk-engine/turn-on-risk-engine.png[Turn on entity risk scoring]