Risk score calculation for closed alerts

elastic · Dec 4, 2024 · 5bacbe9 · 5bacbe9
1 parent 09040ae
commit 5bacbe9
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 2 deletions.
diff --git a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc
@@ -37,6 +37,8 @@ NOTE: Entities without any alerts, or with only `Closed` alerts, are not assigne
 == How is risk score calculated?
 
 . The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts.
++
+NOTE: When <<turn-on-risk-engine, turning on the risk engine>>, you can choose to also include `Closed` alerts in risk scoring calculations.
 
 . The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<host-risk-summary, risk summary>>.
 

diff --git a/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc b/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc
@@ -29,7 +29,9 @@ image::images/preview-risky-entities.png[Preview of risky entities]
 If you're installing the risk scoring engine for the first time:
 
 . Find **Entity Risk Score** in the navigation menu.
-. Turn the **Entity risk score** toggle on.
+. On the **Entity Risk Score** page, turn the toggle on.
+
+You can also choose to include `Closed` alerts in risk scoring calculations and specify a date and time range for the calculation.
 
 [role="screenshot"]
 image::images/turn-on-risk-engine.png[Turn on entity risk scoring]

diff --git a/docs/serverless/advanced-entity-analytics/entity-risk-scoring.asciidoc b/docs/serverless/advanced-entity-analytics/entity-risk-scoring.asciidoc
@@ -39,6 +39,8 @@ Entities without any alerts, or with only `Closed` alerts, are not assigned a ri
 == How is risk score calculated?
 
 . The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts.
++
+NOTE: When <<security-turn-on-risk-engine, turning on the risk engine>>, you can choose to also include `Closed` alerts in risk scoring calculations.
 . The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<security-hosts-overview-host-risk-summary,risk summary>>.
 . The engine then verifies the entity's <<security-asset-criticality,asset criticality level>>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary.
 +

diff --git a/docs/serverless/advanced-entity-analytics/turn-on-risk-engine.asciidoc b/docs/serverless/advanced-entity-analytics/turn-on-risk-engine.asciidoc
@@ -43,7 +43,9 @@ To view risk score data, you must have alerts generated in your environment.
 If you're installing the risk scoring engine for the first time:
 
 . Go to **Project settings** → **Management** → **Entity Risk Score**.
-. Turn the **Entity risk score** toggle on.
+. On the **Entity Risk Score** page, turn the toggle on.
+
+You can also choose to include `Closed` alerts in risk scoring calculations and specify a date and time range for the calculation.
 
 [role="screenshot"]
 image::images/turn-on-risk-engine/turn-on-risk-engine.png[Turn on entity risk scoring]