Hi @NASEEF,

1. Risk Score in the Outcome Section:
If a risk_score is defined in the outcome section of a rule, does it completely override the risk score configured in the settings section? Or does it only replace the base score while retaining the other components such as the closing coefficient, weightage, etc.?

There are some definitive answers around this, please see:

• John Stoner's answer to this previous GCC question on the same topic


• This Security Shorts video covering Risk Score, Conditional Logic and Mathematical Operators

2. Risk Aggregation Across Multiple Rules:
Suppose a user (e.g., test) has 10 detections triggered by 7 different rules, where some rules define a risk_score in the outcome section and others do not:
• How does the Risk Analytics Dashboard handle and display this data?
• What is the calculation logic for normalized score, base score, risk trend, etc., in such mixed cases?

We calculate an entity’s risk score based on the risk scores of the detections and alerts for the entity in that risk window.

For each risk window (24 hours and 7 days), we collect all the detections and alerts in that timeframe, grouped by entity. We pick a single “indicator” value for each entity to use as the ID to refer to that entity. For example, for assets, we may pick hostname, and for a user we may pick their email address or user ID. To calculate the risk, we use the risk score of each detection and alert, using a default value for each if there is not an explicit score.

You can retrieve all the alerts that contributed to a risk score through the Risk Analytics dashboard page. Clicking the entity you want to investigate will bring you to a page that includes the detections for that entity in a given timeframe.

(credit: Daniel Hones)

3. Supported Time Windows:
Is it only possible to use the predefined window sizes of 24 hours and 7 days? Or is there support for custom time windows?

Short answer here is yes, those are the two windows you can use. As the product hints, entity risk changes by calculating risk through predefined windows of time - 24 hours, or 7 days. Scores decrease as findings age out of either the 24 hour window or the 7 day window, with each being better suited for specific analysis, e.g. short-term brute force activity over 24 hours, or a longer-term collection of malicious activity over 24 hours. However, analysts can reset risk on an entity through the UI and API to restart the calculations, but also within the fixed time period constraints, and you can look at much e

4. Impact of Closed Detections:
If 3 out of the 10 detections mentioned above are closed, how does that impact the overall risk score displayed on the Risk Analytics Dashboard?

The closed alert coefficient modifies the risk score of alerts marked as closed by analysts. It is a floating point modifier between 0 and 1 inclusive. The default is 1.0, meaning that all open and closed alerts retain their original scores. If the closed alert coefficient has a value of 0.0, all of the closed alerts receive a risk score of 0 and would no longer increase the risk score of the overall entity.

https://cloud.google.com/chronicle/docs/detection/risk-analytics-dashboard#closed-alert-coefficient

5. Retention Period:
For how long are the risk-related values (e.g., risk scores, trends, history) stored in the dashboard?

From my testing, you can view the risk calculations for a 7-day or 24-hour period as far back as the configured data retention period in SecOps (the standard is a year, but this can be extended when the order is first placed).

6. Varying Risk Scores Across Rules:
Suppose the risk_score for an entity varies across rules—e.g., 65 for one rule, 40 for three others, and no defined risk score for the remaining rules.
• How is the overall risk score calculated and displayed in this scenario?

It depends! Hopefully from my previous answers, you can see that the overall (i.e., the useful) figure really does depend on many factors:

• Risk score of each detection (default value or user override. If zero, for example, detections are not shown at all)


• Risk score of each alert (default, or user override), ±natural alert age, ±open/closed status


• User's explicit reduction of entity risk score (for example, to decrease number of alerts seen on a mitigated threat, after which only new detections/alerts are considered for the calculation)


• Weighting of maximum detection/alert score calculation


• Closed alert coefficient

for your example, using default values, the base risk score might look something like this:

• detection1: risk score = 65


• detection 2: risk score = 40


• detection 3: risk score = 40


• detection 4: risk score = 40


• alert1: risk score = 115


• alert2: risk score = 0


• alert3: risk score = 45


• alert4: risk score = 70

assuming a weight factor between max detection and maximum alert of 0.5 (equal weighting, in other words) would give:

max risk score = 115 + 0.5 *sum(remaining risk scores, so 65+(40*3)+0+45+70)) = 265

if the weight factor was 1 in favour of alerts:

max risk score = 115 + 1 *sum(remaining alert risk scores, so 45+75) = 235

Hope this helps.