...
To take advantage of the Alert Technique Risk Score in a custom alert, you must include both the MITRE ATT&CK Technique ID and alert priority. Both of these values are used in the risk processor to calculate risk associated with an entity. To take advantage of the out-of-the-box risk score framework you can use the example alert LINQ is provided below:
select "T1548" as mitreTechniqueId
...
Alternatively if you would like to set your own risk score for your alerts on a scale from 0 to 100, you can add the risk score as a value directly in the alert LINQ. An An example of this can be seen below:
select 50 as risk
If you want to exclude an alert from the risk calculation since it alerts on data with the entity.behavior.risk.events
table then add [select "Risk" as alertType] to the alert and it will be excluded. The risk alert type avoids positive feedback loops of entity risk over time:
Code Block |
---|
select “Risk” as alertType |
Entity Risk Score
On top of the risk score configuration, you must add SecOps alert entities to you alerts. These help associate the alerting TRS data to the specific entity and calculate the Entity Risk Score.
...