Table of Contents | ||||||
---|---|---|---|---|---|---|
|
About risk scoring
Devo Behavior analytics provides risk scores at two different levels:
...
Alternatively if you would like to set your own risk score for your alerts on a scale from 0 to 100, you can add the risk score as a value directly in the alert LINQ. An example of this can be seen below:
select 50 as risk
If there is no risk score associated with an alert then a default risk score of 35 will be used if there is an entity mapped within the alert. The entity mapping at the bottom of the page must be present in order to make use of the default risk score.
If no values for technique ID, risk, or entity are listed in the alert then the alert will be ignored by the risk calculation process.
If you want to exclude an alert from the risk calculation since it alerts on data with the entity.behavior.risk.events
table then add [select "Risk" as alertType] to the alert and it will be excluded. The risk alert type avoids positive feedback loops of entity risk over time:
...
Once the Alert TRS or custom risk scores are configured within a Devo domain’s alerts and behavioral detections, risk can now accumulate on specific entities within the domain that are associated with those alerts and behavioral detectionssignals. The Entity Risk Score (ERS) is calculated from all the alerts and behavior detections signals within the domains over the last 7 days and aggregates the risk contribution from each of them on the specific entities involved. From there the aggregate risk score is normalized against all entities within the domain, which results in the final ERS.
The ERS calculation is done using a risk processor that is enabled within a Devo domain and calculates risk every hour on alerts and behavioral detections signals that have occurred over the last 7 days from the time that it was run. The ERS is output every hour into the entity.behavior.risk.events
table and can be viewed via data search within a Devo domain.
...
The above mapping allows the risk processor to identify the entities within the alerts to calculate the risk and then appropriately map them to the display in the application.
entity.behavior.risk.events overview
entity
: Name of entitytotal_risk
: Culmunative (sum) risk scorerelated
: All related entities observedlast_risk
: Time of the most recent alert/anomaly signal observedalert_metrics_secops
: Total number of observed SecOps alertsalert_metrics_ueba
: Total number of observed anomaly signalspriority_metrics_high
: Total number of observed SecOps alerts that were of severity "High"priority_metrics_critical
: Total number of observed SecOps alerts that were of severity "Critical"entity_risk
: Normalized risk score for this entity's typeentity_type
: Type of entityglobal_risk
: Normalized risk score for all entitiesunique_alerts
: Unique or distinct number of alerts observedunique_techiniques
: Unique or distinct number of Mitre techniques observedunique_tactics
: Unique or distinct number of Mitre tactics observed