From 020f4e6b256b01f20ae4b66076e0133c2dbaa024 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Fri, 5 Sep 2025 17:54:58 +0100 Subject: [PATCH] Risk scoring clarification (#7056) (cherry picked from commit d1b0fb2f19e9c15f787e64124666ce7cc0965f3b) --- .../entity-risk-scoring.asciidoc | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc index 4ca27e8071..527a71bdf8 100644 --- a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc +++ b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc @@ -32,9 +32,9 @@ NOTE: Entities without any alerts, or with only `Closed` alerts, are not assigne [discrete] [[how-is-risk-score-calculated]] -== How is risk score calculated? +== How are risk scores calculated? -. The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts. +. The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days, including <>. For each entity, the engine processes up to 10,000 alerts. + NOTE: When <>, you can choose to also include `Closed` alerts in risk scoring calculations. @@ -71,6 +71,17 @@ NOTE: Asset criticality levels and default risk weights are subject to change. The risk score is updated every hour based on the configured date and time range, which defaults to 30 days. Each update generates a new score, calculated independently of any previous scores. +[discrete] +[[residual-risk]] +=== Residual risk score + +In some cases, entities can retain a residual risk score: + +* If all alerts for an entity are closed +* If all of the entity's open alerts fall outside of the configured date and time range + +In these situations, the entity retains its last computed risk score until a new alert causes the score to be recalculated. + .Click for a risk score calculation example [%collapsible] ====