entity risk analytics detection

Question

Hello team, do you have any guidance on developing a risk analytics rule that identifies when an entity exhibits a sudden spike in risk score? In the rule below, I can generate an alert when an entity’s risk score on the Risk Analytics dashboard exceeds a defined threshold. However, I’m more interested in detecting a sudden spike in the entity’s risk score rather than relying on a static benchmark.

i have two use cases one is to alert when any user’s risk score in analytic dashboard crosses a benchmark and the other one to detect on sudden spike

Also, for Risk Analytics, I could not find a UDM field that represents a normalized risk score. I only see the raw risk_score and the delta_risk_score fields.
Which of these fields would be the most appropriate to use for the rule?

hzmndt · Answer

​@NASEEFthere is a new feature called entity only rule, which look at internal UDM event to track on the entity risk change, something maybe can use for your use case?UDM query> metadata.event_type = "ENTITY_RISK_CHANGE"sample UDM data>extensions.entity_risk.risk_delta.previous_risk_score = 66extensions.entity_risk.risk_score = 136extensions.entity_risk.normalized_risk_score = 66extensions.entity_risk.raw_risk_delta.previous_risk_score = 136Document>https://docs.cloud.google.com/chronicle/docs/detection/risk-based-alerting

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded