- Get Started with Threat Center
- Threat Center
- Threat Center Permissions
- Threat Center Alerts: Read
- Threat Center Alerts: Read, Write, and Delete
- Threat Center Cases: Read
- Threat Center Cases: Read, Write, and Delete
- Threat Center Detection Grouping Rules: Read
- Threat Center Detection Grouping Rules: Read, Write, and Delete
- Threat Center Watchlist: Read
- Threat Center Watchlist: Read, Write, and Delete
- Threat Center Cases
- Threat Center Alerts
- Threat Center Detections
- Threat Center Risk Score
- Monitor Entities of Interest in Threat Center
- Group Detections
- Work on Cases
- Work on Alerts
- Edit and Collaborate in Threat Center
- Use Automation Tools in Threat Center
- Find Cases and Alerts
- Sort Cases or Alerts
- Filter Cases or Alerts
- Search for Cases or Alerts in Threat Center
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- View Case and Alert Metrics
- Get Notified About Threat Center
- Threat Center APIs
Risk Scores in the New-Scale Security Operations Portfolio Licenses
Learn how risk scores are calculated with the New-Scale Security Operations portfolio licenses.
With the New-Scale Security Operations portfolio licenses, risk score calculations are calculated differently based on whether the case is created by converting an alert or manually.
Risk Scores for Alerts and Converted Cases
For alerts and cases converted from an alert, the risk score is based on the behavioral analytics insights provided by the analytics engine.
The case or alert risk score is determined using two variables: rarity and business factors. First, the detection rarity score is used to determine the case or alert rarity score. Then, the case or alert rarity score is adjusted based on business factors to derive a final case or alert risk score.
Threat Center sums the rarity scores of all detections grouped under a case or alert.
When the analytics engine creates a detection, it assigns the detection a rarity score depending on how often the associated correlation rules or analytics rules trigger in your environment.
To determine a rarity score for the case or alert, first Threat Center sums the rarity scores of all detections grouped under it.
Example
Three detections are grouped under a case:
The rarity score of detection A is 99.
The rarity score of detection B is 99.
The rarity score of detection C is 99.
To calculate a rarity score for the case, Threat Center sums the three rarity scores:
Equation 2.The case rarity score is 297.
Threat Center uses a sigmoid function to normalize the case or alert rarity score to a number between zero and 100. This normalized rarity score forms the basis of the case or alert risk score.
Example
The case rarity score is 297.
After normalizing the overall rarity score using a sigmoid function, the normalized case rarity score is 38.
To tune the normalized rarity score, Threat Center considers a set of business factors.
Business factors are attributes of a case or alert that make it more or less likely to be risky to your business. Business factors may tune the normalized rarity score higher or lower. Threat Center currently assesses the following business factors:
High Scoring Fact Detections – The number of factFeature analytics rules detections with a rarity score greater than or equal to 99.
Rule Severity Manual Adjustment – The highest severity of all analytics rules associated with detections.
Unique Rules – The number of unique triggered rules associated with the case or alert.
Destination Device Entities – The number of destination device entities associated with the case or alert.
% of High Scoring Detections – The percentage of detections with a rarity score greater than or equal to 99.
Medium Criticality Entities – The number of entities associated with the case or alert with a medium security criticality.
High Criticality Entities – The number of entities associated with the case or alert with a high security criticality.
Each business factor is assigned a weight; depending on its weight, a business factor may have a greater or lesser impact on the risk score. After Threat Center uses the business factors to tune the normalized rarity score, you have the final risk score for a case or alert.
Example
The normalized case rarity score is 38.
Threat Center assesses the case along the relevant business factors:
The case has three factFeature analytics rule detections with a rarity score greater than or equal to 99.
The highest severity of all analytics rules associated with the case is High.
There are three detections with a rarity score greater than or equal to 99.
One user entity associated with the case has a high security criticality.
After evaluating the business factors and their weights, the normalized case rarity score is tuned higher by 61 points:
Equation 3.The final case risk score is 99.
Understand Risk Score Calculation for a Specific Case or Alert
To understand how Threat Center calculates the risk score for a specific case or alert, navigate to the Overview tab, then under Risk Score, click How was this calculated?:
Under Sum or Raw Rarity Scores, view the case or alert rarity score, which is a sum of the rarity scores of all detections grouped under a case or alert.
Under Normalization, view the normalized rarity score, calculated using a sigmoid function to normalize the case or alert rarity score to a number between zero and 100.
Under Business Factors Adjustment, view a list of the business factors used to tune the normalized rarity score and by how many points the business factors adjusted the risk score. Business factors with a down arrow tuned the normalized rarity score lower; business factors with an up arrow tuned the normalized rarity score higher.
If the business factors did not impact the risk score, you receive the message: After related anomalous events are grouped into a single alert, the initial data-driven score remained unchanged.
Under Final Adjusted Risk Score, review the final risk score for the case or alert.
Tune the Risk Score
To tune the risk score, you can:
Adjust the severity of analytics rules, one of the business factors Threat Center uses to tune the normalized rarity score.
Tune analytics rules using exclusions. Exclusions exclude certain analytics rules from triggering on specific event field value or context tables that match conditions you specify; for example, you might want to exclude routine administrative logins from being flagged as suspicious or exclude specific IP ranges commonly used by internal systems from being considered as potential attack vectors.
Adjust context tables to ensure analytics rules and correlation rules are evaluating an accurate and holistic view of your environment.
Risk Scores for Manually Created Cases
Manually created cases are assigned a risk score based on the priority assigned to the case when it was created:
Critical – The risk score is 100.
High – The risk score is 75.
Medium – The risk score is 50.
Low – The risk score is 25.