diff --git a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc index 8b9be7a266..52bc6403b2 100644 --- a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc +++ b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc @@ -37,6 +37,8 @@ NOTE: Entities without any alerts, or with only `Closed` alerts, are not assigne == How is risk score calculated? . The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts. ++ +NOTE: When <>, you can choose to also include `Closed` alerts in risk scoring calculations. . The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <>. diff --git a/docs/advanced-entity-analytics/images/preview-risky-entities.png b/docs/advanced-entity-analytics/images/preview-risky-entities.png index 838ee1a7ff..ce345d40e4 100644 Binary files a/docs/advanced-entity-analytics/images/preview-risky-entities.png and b/docs/advanced-entity-analytics/images/preview-risky-entities.png differ diff --git a/docs/advanced-entity-analytics/images/turn-on-risk-engine.png b/docs/advanced-entity-analytics/images/turn-on-risk-engine.png index 7593e7df10..4bc05a67e0 100644 Binary files a/docs/advanced-entity-analytics/images/turn-on-risk-engine.png and b/docs/advanced-entity-analytics/images/turn-on-risk-engine.png differ diff --git a/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc b/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc index 945b2f859c..94fe36a8ef 100644 --- a/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc +++ b/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc @@ -29,7 +29,9 @@ image::images/preview-risky-entities.png[Preview of risky entities] If you're installing the risk scoring engine for the first time: . Find **Entity Risk Score** in the navigation menu. -. Turn the **Entity risk score** toggle on. +. On the **Entity Risk Score** page, turn the toggle on. + +You can also choose to include `Closed` alerts in risk scoring calculations and specify a date and time range for the calculation. [role="screenshot"] image::images/turn-on-risk-engine.png[Turn on entity risk scoring]