Entity risk groups
Overview
Entity risk groups enable organizations to identify specific sets of entities and adjust their risk score based on their own organization's context. Here are some examples of entity risk groups: Â
VIP usersÂ
Noisy users / entities
Crown jewelsÂ
Terminated employeesÂ
New employeesÂ
Flight risk employeesÂ
VIP users are users that are very important people to the organization such as the C-suite and administrators that have access to sensitive information or many different systems. If these users were compromised or conducting risky behavior it is imperative to look into them sooner rather than later. As a result, it is important to add risk multipliers to these users such that they bubble up to the top of the risk curve within Devo Behavior AnalyticsÂ
The Crown jewels list would be similar to the VIP user list except that it is for assets / endpoints within the IT environment.Â
Noisy users / entities are users that are involved in many risky activities that you still want visibility into but do not want their noise overshadowing everything else going on in your organization. The list / lookup maintained here would be to reduce the risk score of these entities such that they would show up in the application but have a generally lower risk score.Â
Reset risk score entities would be a list of entities that have their risk score reset for a fixed amount of time. These are entities that have been triaged by an analyst and have been deemed to not be a threat. The risk score is then reset for a period of time such that the application bubbles up other entities with risk to be triaged.
Configuring entity risk groups
Entity risk groups are configured in the Entity Groups tab within the Content Manager.
To create a new one, simply click the New Group button at the top right and give it a name (Risk Group) and Risk Score Multiplier that will increase or decrease the risk score of the entities belonging to this group.
You can manage existing groups using the ellipsis menu at the end of each row. Edit Score Multiplier will open the group settings to modify them, while Editing List will open the Behavior Models tab.
Â