Devo Behavior analytics provides risk scores at two different levels:
Alert Technique Risk Score - A measure of risk for the specific MITRE ATT&CK technique that the alert is associated with on a Scale from 0 to 100.
Entity Risk Score - A calculated risk score that takes into account all of the alerts and behavior deviations for an entity on scale from 0 to 100
The Alert Technique Risk Score (TRS) is the out of the box alert risk score framework that dictates the risk contribution of a specific alert or behavioral deviation. The TRS is determined by the Devo SciSec threat research team based on research conducted around common attack patterns for MITRE ATT&CK techniques. Through the research each technique has its technique awareness, cut vertex to other techniques, technique closeness, and technique actionability evaluated to determine the risk score. The Alert Technique Risk Score represents the default model of alert risk within Devo today and is available for all SecOps alerts out of the box. TRS is additionally modulated by the priority set with an alert to drive higher risk for what an organization says is higher priority for their environment.
To take advantage of the Alert Technique Risk Score in a custom alert a user must include both the MITRE ATT&CK Technique ID and alert priority. Both of these values are used in the risk processor to calculate risk associated with an entity. To take advantage of the out of the box risk score framework you can use the example alert LINQ is provided below:
select "T1548" as mitreTechniqueId
Select “4” as alertPriority
Alternatively if a user would like to set their own risk score for their alerts on a scale from 0 to 100 they can add the risk score as a value directly in the alert LINQ. An Example of this can be seen below:
select 50 as risk
On top of the risk score configuration, users must add SecOps alert entities to their alerts, these help associate the alerting TRS data to the specific entity and calculate the Entity Risk Score.
select userIdentity_arn as entity_sourceName
select userIdentity_accountId as entity_sourceAccount
select sourceIPAddress as entity_sourceIP
Once the Alert TRS or custom risk scores are configured within a Devo domain’s alerts and behavioral detections, risk can now accumulate on specific entities within the domain that are associated with those alerts and behavioral detections. The Entity Risk Score (ERS) is calculated from all the alerts and behavior detections within the domains over the last 7 days and aggregates the risk contribution from each of them on the specific entities involved. From there the aggregate risk score is normalized against all entities within the domain, which results in the final ERS. The ERS calculation is done using a risk processor that is enabled within a Devo domain and calculates risk every hour on alerts and behavioral detections that have occurred over the last 7 days from the time that it was run. The ERS is output every hour into the entity.behavior.risk.events table and can be viewed via data search within a Devo domain.
The ERS score is what is displayed around an entity through the Devo Behavior Analytics application and is used to help identify users, devices, and domains that are suspicious. The Alert TRS or customized risk score is displayed within the entity's alert history view to give context as to how much risk an individual alert or behavioral deviation contributed to the ERS.