From a341e5ff143ba03e9aa53e19c14e96cbb2c60a5d Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Fri, 5 Sep 2025 14:07:08 +0100 Subject: [PATCH] Risk scoring clarification --- .../entity-risk-scoring.asciidoc | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc index 4ca27e8071..527a71bdf8 100644 --- a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc +++ b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc @@ -32,9 +32,9 @@ NOTE: Entities without any alerts, or with only `Closed` alerts, are not assigne [discrete] [[how-is-risk-score-calculated]] -== How is risk score calculated? +== How are risk scores calculated? -. The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts. +. The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days, including <>. For each entity, the engine processes up to 10,000 alerts. + NOTE: When <>, you can choose to also include `Closed` alerts in risk scoring calculations. @@ -71,6 +71,17 @@ NOTE: Asset criticality levels and default risk weights are subject to change. The risk score is updated every hour based on the configured date and time range, which defaults to 30 days. Each update generates a new score, calculated independently of any previous scores. +[discrete] +[[residual-risk]] +=== Residual risk score + +In some cases, entities can retain a residual risk score: + +* If all alerts for an entity are closed +* If all of the entity's open alerts fall outside of the configured date and time range + +In these situations, the entity retains its last computed risk score until a new alert causes the score to be recalculated. + .Click for a risk score calculation example [%collapsible] ====