From b41570a520cc39b09c37a87f51275ace40588da1 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Tue, 26 Mar 2024 10:57:02 +0000 Subject: [PATCH] Documents the max number of alerts per entity processed by risk scoring engine --- docs/advanced-entity-analytics/entity-risk-scoring.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc index 1c69595ebb..76b8f120ba 100644 --- a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc +++ b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc @@ -29,7 +29,7 @@ The resulting entity risk scores are stored in the `risk-score.risk-score->. +The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts. It groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <>. The engine then verifies the entity's <>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level: