Versions Compared

Old Version 5

changes.mady.by.user Anthony Shevlin

Saved on

compared with

New Version Current

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
typeflat

About risk scoring

Devo Behavior analytics provides risk scores at two different levels:

...

Alternatively if you would like to set your own risk score for your alerts on a scale from 0 to 100, you can add the risk score as a value directly in the alert LINQ. An example of this can be seen below: 

select 50 as risk

If there is no risk score associated with an alert then a default risk score of 35 will be used if there is an entity mapped within the alert. The entity mapping at the bottom of the page must be present in order to make use of the default risk score.

If no values for technique ID, risk, or entity are listed in the alert then the alert will be ignored by the risk calculation process.

If you want to exclude an alert from the risk calculation since it alerts on data with the entity.behavior.risk.events table then add [select "Risk" as alertType] to the alert and it will be excluded. The risk alert type avoids positive feedback loops of entity risk over time:

...

Once the Alert TRS or custom risk scores are configured within a Devo domain’s alerts and behavioral detections, risk can now accumulate on specific entities within the domain that are associated with those alerts and behavioral detectionssignals. The Entity Risk Score (ERS) is calculated from all the alerts and behavior detections signals within the domains over the last 7 days and aggregates the risk contribution from each of them on the specific entities involved.  From there the aggregate risk score is normalized against all entities within the domain, which results in the final ERS. 

The ERS calculation is done using a risk processor that is enabled within a Devo domain and calculates risk every hour on alerts and behavioral detections signals that have occurred over the last 7 days from the time that it was run. The ERS is output every hour into the entity.behavior.risk.events table and can be viewed via data search within a Devo domain.  

...

The above mapping allows the risk processor to identify the entities within the alerts to calculate the risk and then appropriately map them to the display in the application.

entity.behavior.risk.events overview

entity: Name of entity
total_risk: Culmunative (sum) risk score
related: All related entities observed
last_risk: Time of the most recent alert/anomaly signal observed
alert_metrics_secops: Total number of observed SecOps alerts
alert_metrics_ueba: Total number of observed anomaly signals
priority_metrics_high: Total number of observed SecOps alerts that were of severity "High"
priority_metrics_critical: Total number of observed SecOps alerts that were of severity "Critical"
entity_risk: Normalized risk score for this entity's type
entity_type: Type of entity
global_risk: Normalized risk score for all entities
unique_alerts: Unique or distinct number of alerts observed
unique_techiniques: Unique or distinct number of Mitre techniques observed
unique_tactics: Unique or distinct number of Mitre tactics observed