Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Current »

About this page

The Content Manager > Alert Risk Scores page enables you to provide custom risk scores for each of your alert definitions.

When the risk calculator discovers triggered alerts with entity info, it must determine a risk score for each alert. By default, the risk calculator will follow an internal multi-step process to derive a meaningful risk score value. However, you can override this process by specifying custom fixed risk scores for each of your alert definitions.

To set a custom risk score for an alert definition, you may use a select X as risk statement in the alert definition’s LINQ query. Alternatively, for your convenience, you can provide the custom risk score in the Content Manager > Alert Risk Scores page of the Behavior Analytics UI.

The page displays a table of the alert definitions configured in your organization as pictured in the example below.

content-manager-alert-risk-scores.png

The table columns display information about each alert configuration, including the following:

  • Alert Name: The name of the alert configuration.

  • Has Entity Info: If the alert configuration’s LINQ query specifies one or more recognized entity field names (for example, entity_sourceAccount), then this column will display “yes”; otherwise “no”. Note that alert configurations without entity info will be ignored by the risk calculator. If your alert configuration shows “no” but you wish to include it in risk calculation, you must modify the alert’s LINQ query to provide at least one recognized entity field name. To learn more, see the section Key concepts > Alerts with entity info in this documentation.

  • Risk Score: If you provide a custom risk score for this alert configuration, then this column will display that value; otherwise “auto” is displayed. By default, alerts with an “auto” risk score will be scored by the risk calculator according to an internal multi-step process. To learn more, see the section Key concepts > Alert Risk Scoring in this documentation.

Note that this table does not include two types of alert configurations: behavior alerts and risk based alerts. Those alerts are excluded here because both behavior alerts and risk based alerts are ignored by the risk calculator; thus it makes no sense to assign a risk score to those alerts. To learn more, see the sections Key concepts > Behavior Alerts and Key concepts > Risk Based Alerts in this documentation.

Specifying a Custom Alert Risk Score

To specify a custom risk score for an alert configuration:

  • Click on the action menu (labeled “…”) for that alert configuration, then click “Edit Risk Score”. This opens the alert risk score editor.

content-manager-alert-risk-scores-action-menu.png

  • The editor displays the name of the selected alert configuration. For convenience, the editor displays the alert configuration’s LINQ query as well, as illustrated in the sample below.

content-manager-alert-risk-score-editor.png

  • In the Risk Score field of the editor, enter a value from zero to 100, then click Save.

The table of alert configurations will then be updated and the Risk Score column will display the inputted custom score for the selected alert configuration.

To remove a custom risk score from an alert configuration:

  • Click on the action menu (labeled “…”) for that alert configuration, then click “Remove Risk Score”.

The table of alert configurations will then be updated and the Risk Score column will display “auto” for the selected alert configuration.

  • No labels