Calculating User Risk Score
The User Risk Score is an intelligent aggregation of a user's activity alerts, during a specified period of time. The User Risk Dashboard highlights new users that have become risky and any changes in their behavior based on risk score, and recent score changes. Security analysts can identify and prioritize risky users, observe user risk score changes, analyze the source of increased risk, and determine an appropriate course of action. The daily risk score tracks a user’s risk day by day, allowing you to easily identify score changes and act first on users who’s risk level have recently changed. You can customize score thresholds per risk level for alert rules and users to control risk sensitivity for various groups and assets.
By default, the user risk score is calculated every three seconds; you can adjust this frequency, if required. For details, see Customizing User Risk Dashboard Parameters.
The User Risk Score is displayed for each user listed in the Risky Users section of the User Risk Dashboard.
Two values are displayed:
-
User Risk score – an aggregated score based on the last user period (by default 30 days).
-
Risk Change value – defined as the risk change from yesterday.
For example:
If you sort by Daily score change (see Filtering and Sorting the Display of Risky Users), the Risk Change value text size is enlarged and the User Risk score text size is reduced.
The color-coded circular shape that surrounds the User Risk Score reflects the severity of the alerts associated with that user; the risk level color indicator gauge provides a colorful visual point of severity reference.
User Risk Score tooltip - When you hover over the User Risk Score, a detailed tooltip displays the current score based on the last 31 days and the change from yesterday. Details of the score are also displayed with a breakdown of their contribution (and severity) to the overall risk score. For example:
Calculating the User Risk Score Value
By default the user risk score is calculated between 0 - 100. Optionally you can select to use a simplified user risk score with no limit.
To enable the simplified user risk score option, from the Configuration tab, select Alerts > Alerts & Prevent Rules > Settings. Select Use Simplified User Risk Score formula calculation. (See Defining Settings for Rules.)
A user's final risk score is calculated according to the user risk level score severity scale. The risk level of alerts have the following scores:
-
Critical 30
-
High 15
-
Medium 5
-
Low 1
The table below shows the weight used for user risk scoring:
Severity | Risk Score Weight when limited to 100 | Simplified User Risk Score Weight |
---|---|---|
Critical | 30 | 10 |
High | 15 | 5 |
Medium | 5 | 3 |
Low | 1 | 1 |
The following formula is used to calculate the overall score:
The following topic describes How Risky Applications and Alerts Contribute to the User Risk Score.