Hello team, do you have any guidance on developing a risk analytics rule that identifies when an entity exhibits a sudden spike in risk score? In the rule below, I can generate an alert when an entity’s risk score on the Risk Analytics dashboard exceeds a defined threshold. However, I’m more interested in detecting a sudden spike in the entity’s risk score rather than relying on a static benchmark.
i have two use cases one is to alert when any user’s risk score in analytic dashboard crosses a benchmark and the other one to detect on sudden spike
Also, for Risk Analytics, I could not find a UDM field that represents a normalized risk score. I only see the raw risk_score and the delta_risk_score fields.
Which of these fields would be the most appropriate to use for the rule?
