立即与支持人员聊天
与支持团队交流

Change Auditor Threat Detection 7.3 - User Guide

Risk scoring

Each alert is assigned a risk score based on the criticality of its threat indicators. All the alerts that have been identified for each user are combined to produce an overall user risk score that reflects how risky or suspicious that user is. To ensure that only highly suspicious patterns of activity are highlighted and more innocuous alerts are suppressed, risk scoring is applied at four different stages.

Table 1. Event scoring stages
Stage
Description

Stage 1: Event scoring

Each raw event is given an initial risk score that rates the abnormality of its parameters, such as the computer, time or file location.

Stage 2: Threat indicator scoring

Similar events are grouped as threat indicators and scored again to identify abnormal patterns that extend over a period of time, such as an hour.

Stage 3: Alert scoring

SMART alerts correlate events and threat indicators into an aggregate alert, which is scored for a third time based on the uniqueness of its composition and the severity of the activities involved.

Indicators that are not scored high enough, or that are not correlated with other indicators in the same time period, are eliminated as false positives so that they do not create excessive noise. Only the SMART alerts that are scored as most critical are shown in the dashboard.

The final score ranges between 0 and 100, where 0 reflects an event/session/user which is completely adequate with the normal baseline, whereas 100 indicates a very unusual anomaly.

Stage 4: User risk scoring

The user risk score is an aggregate of the contribution to user scores for each alert related to the user. The contribution to the user score value for the alert is dependent on the alert severity. Critical alerts contribute 20, high contribute 15, medium contribute 10, and low contribute 1. The users with the highest risk scores are highlighted in the Threat Detection dashboard.

Figure 1. Event scoring stages

 

Threat Detection process

Threat Detection process includes the following steps:

1
Events are sent to the Threat Detection server to be processed and analyzed.
2
Machine learning and user behavior analytics analyze user actions in the stream of events and builds a multi-dimensional baseline of typical behavior for each user in the environment.
3
Once the baselines are established, predefined threat indicators are used to detect anomalous user activity in real time.
4
SMART technology provides prioritized alerts that reflect a meaningful deviation in user behavior.
5
A risk score is assigned to each alert to identify the level of threat they pose to your environment.
6
A risk score is assigned to each user. This score is a sum of the total alert points assigned to the user using the "contribution to user score'" points associated with each alert. Users with the highest user risk scores are highlighted in the Threat Detection dashboard, creating a dynamic watch list of emerging risky user threats sorted by severity.

 

 

 

 

Using the Threat Detection Dashboard
Deployment and installation
Accessing the dashboard
Overview tab
Users tab
Alerts Tab
How to perform an alert investigation
Common functions

Deployment and installation

For detailed instructions on how to deploy and properly install Threat Detection, see the Change Auditor for Threat Detection Deployment Guide.

For information about Change Auditor system requirements, see the Change Auditor Release Notes and the Change Auditor for Threat Detection Deployment Guide.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级