...
Once the Alert TRS or custom risk scores are configured within a Devo domain’s alerts and behavioral detections, risk can now accumulate on specific entities within the domain that are associated with those alerts and behavioral detectionssignals. The Entity Risk Score (ERS) is calculated from all the alerts and behavior detections signals within the domains over the last 7 days and aggregates the risk contribution from each of them on the specific entities involved. From there the aggregate risk score is normalized against all entities within the domain, which results in the final ERS.
The ERS calculation is done using a risk processor that is enabled within a Devo domain and calculates risk every hour on alerts and behavioral detections signals that have occurred over the last 7 days from the time that it was run. The ERS is output every hour into the entity.behavior.risk.events table and can be viewed via data search within a Devo domain.
...