Chat now with support
Chat with Support

Change Auditor Threat Detection 7.0.4 - User Guide

Risk scoring

Each alert is assigned a risk score based on the criticality of its threat indicators. All the alerts that have been identified for each user are combined to produce an overall user risk score that reflects how risky or suspicious that user is. To ensure that only highly suspicious patterns of activity are highlighted and more innocuous alerts are suppressed, risk scoring is applied at four different stages.

Stage 1: Event scoring

Each raw event is given an initial risk score that rates the abnormality of its parameters, such as the computer, time or file location.

Stage 2: Threat indicator scoring

Similar events are grouped as threat indicators and scored again to identify abnormal patterns that extend over a period of time, such as an hour.

Stage 3: Alert scoring

SMART alerts correlate events and threat indicators into an aggregate alert, which is scored for a third time based on the uniqueness of its composition and the severity of the activities involved.

Indicators that are not scored high enough, or that are not correlated with other indicators in the same time period, are eliminated as false positives so that they do not create excessive noise. Only the SMART alerts that are scored as most critical are shown in the dashboard.

The final score ranges between 0 and 100, where 0 reflects an event/session/user which is completely adequate with the normal baseline, whereas 100 indicates a very unusual anomaly.

Stage 4: User risk scoring

The user risk score is an aggregate of the contribution to user scores for each alert related to the user. The contribution to the user score value for the alert is dependent on the alert severity. Critical alerts contribute 20, high contribute 15, medium contribute 10, and low contribute 1. The users with the highest risk scores are highlighted in the Threat Detection dashboard.


Threat Detection process

Threat Detection process includes the following steps:





Using the Threat Detection Dashboard

Deployment and installation

For detailed instructions on how to deploy and properly install Threat Detection, see the Change Auditor for Threat Detection Deployment Guide.

For information about Change Auditor system requirements, see the Change Auditor Release Notes and the Change Auditor for Threat Detection Deployment Guide.

Related Documents