...
The ERS score is what is displayed around an entity through the Devo Behavior Analytics application and is used to help identify users, devices, and domains that are suspicious. The Alert TRS or customized risk score is displayed within the entity's alert history view to give context as to how much risk an individual alert or behavioral deviation contributed to the ERS.
In order to identify entities within your alerts and map them to users, devices, and/or domains, use the following mapping cheatsheet to do so:
| Code Block |
|---|
Users
-entity_sourceName
-entity_destinationName
-entity_sourceAccount
-entity_destinationAccount
-entity_sourceEmail
-entity_destinationEmail
Device
-entity_sourceIP
-entity_destinationIP
-entity_sourceHostname
-entity_destinationHostname
Domain
-entity_sourceDomain
-entity_destinationDomain
-entity_sourceUrl
-entity_destinationUrl
|
The above mapping allows the risk processor to identify the entities within the alerts to calculate the risk and then appropriately map them to the display in the application.