- Get Started with Threat Center
- Group Detections
- Work on Cases
- Work on Alerts
- Edit and Collaborate in Threat Center
- Use Automation Tools in Threat Center
- Find Cases or Alerts
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- Sort Cases or Alerts
- View Case and Alert Metrics
- Get Notified About Threat Center
Threat Center Risk Score
Quickly understand the risk level of a case or alert with risk scores.
A risk score is a measure of how risky a detection, alert, or case is. At a glance, you can better prioritize your efforts and decide whether you should spend time and resources on a case or alert.
Depending on your license, risk scores are calculated differently.
Risk Scores in the New-Scale Security Operations Portfolio Licenses
With the New-Scale Security Operations portfolio licenses, risk score calculations are based on the behavioral analytics insights provided by the analytics engine.
The case or alert risk score is determined using two variables: rarity and business factors. First, the detection rarity score is used to derive the case or alert rarity score. Then, the case or alert rarity score is adjusted based on business factors to derive a final case or alert risk score.
First, Threat Center uses the detection rarity scores to determine a case or alert rarity score. When the analytics engine creates a detection, it assigns the detection a rarity score between one and 100 depending on how often the associated correlation rules or analytics rules trigger in your environment. To determine the rarity score for the case or alert, Threat Center sums the detection rarity scores, then uses a sigmoid function to normalize the case or alert rarity score to a number between zero and 100. This normalized rarity score forms the basis of the case or alert risk score.
Next, Threat Center considers a set of business factors. Business factors are attributes of a case or alert that make it more or less likely to be risky. Threat Center uses business factors to tune the normalized rarity score and make it higher or lower. Threat Center currently assesses the following business factors:
High Scoring Fact Detections – The number of fact-based analytics rules detections with a rarity score greater than or equal to 99.
Unique Rules – The number of unique triggered rules associated with the case or alert.
Destination Device Entities – The number of destination device entities associated with the case or alert.
% of High Scoring Detections – The percentage of detections with a rarity score greater than or equal to 99.
Medium Criticality Entities – The number of entities associated with the case or alert with a medium security criticality.
High Criticality Entities – The number of entities associated with the case or alert with a high security criticality.
Each business factor is assigned a weight; depending on its weight, a business factor may have a greater or lesser impact on the risk score. After Threat Center uses the business factors to tune the normalized rarity score, you have the final risk score for a case or alert.
To understand how Threat Center calculates the risk score for a specific case or alert, navigate to the Overview tab, then under Risk Score, click How was this calculated?:
Under Rarity Normalization, view the the sigmoidal curve used to normalize the original rarity score and the resulting normalized rarity score.
Under Business Factors Adjustment, view all the business factors used to tune the normalized rarity score. Under Value, view the value of the business factor for the case or alert. For example, if the Unique Rules business factor has a value of eight, there are eight unique rules associated with the case or alert; if the % of High Scoring Detections business factor has a value of 80, 80 percent of the case or alert detections have a rarity score greater than or equal to 99. Under Impact, view how the business factor affected the score; whether and how much it raised or lowered the score.
Under Final Adjusted Risk Score, review a summary of the normalized risk score and how it was tuned using the business factors to derive the final risk score.
Risk Scores in the Exabeam Security Operations Portfolio and Fusion Licenses
With the Exabeam Security Operations portfolio and Fusion licenses, risk score calculations are based on Advanced Analytics risk scores and correlation rule severity.
The case or alert risk score is a sum of their detection risk scores. By default, the case or alert risk score determines the alert or case priority:
Critical – The risk score is greater than or equal to 75.
High – The risk score is less than 75 and greater than or equal to 50.
Medium – The risk score is less than 50 and greater than or equal to 25.
Low – The risk score is less than 25.
If you change the alert or case priority, the risk score remains the same.
A correlation rule detection risk score is determined by the correlation rule severity:
Critical – The detection is assigned a risk score of 100.
High – The detection is assigned a risk score of 75.
Medium – The detection is assigned a risk score of 50.
Low – The detection is assigned a risk score of 25.
None – The detection is assigned a risk score of zero.
An Advanced Analytics detection risk score is a sum of the associated triggered rule risk scores.