/
Risk Based Alert Definitions
Document toolboxDocument toolbox

Risk Based Alert Definitions

Owned by Gunther Brenes
yesterday at 7:55 pm
4 min read
[ 1 About this page ] [ 2 Configuring a Risk Based Alert Definition ]

About this page

The Content Manager > Risk Based Alert Definitions page enables you to configure alerts which are triggered by changes in entity risk scores. For example, an alert could be configured to trigger whenever any user’s risk score exceeds some given value. These so-called “risk based alerts” are not required and have no impact on risk calculation; indeed, they respond to the results of risk calculation. Nevertheless, risk based alerts can be useful for security analysts who wish to be alerted of a cumulative change to an entity’s risk score rather than every individual signal that contributes incrementally to the change.

The page displays a table of the risk based alert definitions which have been configured thru the Behavior Analytics application thus far. Above the table (right) is a “Create” button for creating a new risk based alert definition.

content-manager-risk-based-alerts.png
Content Manager > Risk Based Alert Definitions displays a table of your risk based alert definitions (if any).

The table columns display information about each alert configuration, including the following:

  • Alert Name: The name of the alert configuration.

  • Based On: The metric upon which the alert is configured to trigger; either “Risk Score” or “Relative Risk”. Both of these metrics are included in the risk calculator’s results and are available for alerting. To learn more, see the sections Key concepts > Entity Risk Scoring and Key concepts > Entity Relative Risk in this documentation.

  • Type: The type of the risk based alert configuration; either “Threshold” or “Rate of Change”. Threshold alerts are triggered when an entity’s risk score exceeds a given value. Rate of change alerts are triggered when an entity’s risk score increases by some given amount over a given number of hours. To learn more about the types of risk based alerts, see the section Key concepts > Risk Based Alerts in this documentation.

  • Entity Type: The type of entity that the alert applies to; either Users, Devices or Domains.

  • Risk Threshold: This is only applicable to alerts of type “Threshold”.

  • Risk Score Change & Evaluation Period: These are only applicable to alerts of type “Rate of Change”.

  • Active: Use this switch to disable an alert configuration (i.e., prevent it from triggering alerts) without deleting its definition.

In theory, risk based alerts can also be configured outside of the Behavior Analytics application. In general, Devo alerting supports configuring an alert on any Devo table. Since risk scores are stored in the entity.behavior.risk.events table, a user could define an alert on this table through the Devo Data Search UI. However, such hand-crafted alerts will not show up within the Behavior Analytics application unless they use the same naming convention (specifically, the alert name prefix SecOpsRisk). The Content Manager > Risk Based Alert Definitions page simply enables a quick and easy way to create and manage these alerts in one place.

Configuring a Risk Based Alert Definition

To configure a new risk based alert definition, click the Create button above the table (right). This opens the risk based alert definition editor, as pictured in the example below.

risk-based-alert-editor-threshold.png
The Risk Based Alert Definition editor. In this picture, a “threshold” alert type has been selected.

  • In the Alert Name field, enter a name for the alert configuration. Note that a hard-coded prefix SecOpsRisk will be automatically applied to the name you provide.

  • In the Applies To field, choose which type of entity (users, devices or domains) this alert configuration should apply to.

  • In the Based On field, choose between “Risk Score” and “Relative Risk”. To learn more about the distinction between Risk Score and Relative Risk, see the sections Key concepts > Entity Risk Scoring and Key concepts > Entity Relative Risk in this documentation.

  • In the Alert Type field, choose between “Threshold” and “Rate of Change”.

    • Threshold alerts are triggered when an entity’s risk score exceeds a given value. For example, an alert which triggers whenever an entity’s relative risk exceeds 90 is a threshold alert.

    • Rate of change alerts do not specify a fixed value; rather, they are triggered when an entity’s risk score increases by some given amount over a given number of hours. For example, an alert which triggers whenever an entity’s risk score increases by over 100 points within 2 hours is a rate of change alert.

    • To learn more about the types of risk based alerts, see the section Key concepts > Risk Based Alerts in this documentation.

  • If you choose the “threshold” type, you will be prompted to specify the threshold value (pictured above). Alternatively if you choose the “rate of change” type, you will prompted to provide both the change amount and the number of hours over which the change must occur (pictured below).

  • Choose the priority (very high, high, medium, low, or very low) for the alert in the Alert Priority field.

  • Optionally in the Advanced section you may provide additional filter criteria for some of the other metrics included in the risk calculator’s results.

  • Click Save to finalize and activate your alert configuration.

The table will then update and your saved configuration will be displayed in the table’s contents.