[8.x] Risk score calculation for closed alerts (backport #6271) (#6367)

* Risk score calculation for closed alerts (#6271) * Risk score calculation for closed alerts * Updates screenshots (cherry picked from commit 19e3484) # Conflicts: # docs/serverless/advanced-entity-analytics/entity-risk-scoring.asciidoc # docs/serverless/advanced-entity-analytics/turn-on-risk-engine.asciidoc # docs/serverless/images/turn-on-risk-engine/preview-risky-entities.png # docs/serverless/images/turn-on-risk-engine/turn-on-risk-engine.png * Delete docs/serverless directory and its contents --------- Co-authored-by: natasha-moore-elastic <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
elastic · Dec 18, 2024 · 590f856 · 590f856
1 parent 78c6623
commit 590f856
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 1 deletion.
diff --git a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc
@@ -37,6 +37,8 @@ NOTE: Entities without any alerts, or with only `Closed` alerts, are not assigne
 == How is risk score calculated?
 
 . The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts.
++
+NOTE: When <<turn-on-risk-engine, turning on the risk engine>>, you can choose to also include `Closed` alerts in risk scoring calculations.
 
 . The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<host-risk-summary, risk summary>>.
 

diff --git a/docs/advanced-entity-analytics/images/preview-risky-entities.png b/docs/advanced-entity-analytics/images/preview-risky-entities.png
diff --git a/docs/advanced-entity-analytics/images/turn-on-risk-engine.png b/docs/advanced-entity-analytics/images/turn-on-risk-engine.png
diff --git a/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc b/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc
@@ -29,7 +29,9 @@ image::images/preview-risky-entities.png[Preview of risky entities]
 If you're installing the risk scoring engine for the first time:
 
 . Find **Entity Risk Score** in the navigation menu.
-. Turn the **Entity risk score** toggle on.
+. On the **Entity Risk Score** page, turn the toggle on.
+
+You can also choose to include `Closed` alerts in risk scoring calculations and specify a date and time range for the calculation.
 
 [role="screenshot"]
 image::images/turn-on-risk-engine.png[Turn on entity risk scoring]