Risk Scoring Settings
Risk Scoring Settings
Configure risk-based alerting behavior including global risk weight and TTL decay factors.
Accessing Risk Scoring Settings
Navigate to Settings > Risk Scoring from the sidebar, or click the gear icon on the Risk Analytics page.
Global Risk Weight
The global risk weight acts as a system-wide multiplier for all calculated risk scores.
Configuration
Use the slider to set the weight between 0.0 and 1.0:
| Weight | Effect | Use Case |
|---|---|---|
| 1.0 | Full scoring | Production environments, aggressive threat detection |
| 0.75 | 75% scoring | Slightly conservative approach |
| 0.5 | 50% scoring | Conservative scoring, high false positive environments |
| 0.25 | 25% scoring | Very conservative, testing new rules |
| 0.0 | Disabled | Turn off risk scoring entirely |
How It Works
The global weight is applied to the final calculated score:
Final Score = round(Raw Score × Global Weight)Example: A detection with base score 80 and global weight 0.5:
- Final Score = round(80 × 0.5) = 40
Per-Query Weight Override
Individual detection queries can override the global weight using the weight= parameter in the | risk command:
// Use 80% weight instead of global setting
| risk score=50 entity=user weight=0.8This is useful for:
- Reducing impact of noisy rules during tuning
- Increasing weight for high-confidence detections
- Fine-tuning specific detection rules without changing global settings
Quick Preset Buttons
Click any preset value for quick adjustment:
- 0.00 - Disable risk scoring
- 0.25 - Minimal scoring
- 0.50 - Conservative (default)
- 0.75 - Moderate
- 1.00 - Full scoring
TTL Decay Configuration
TTL (Time-To-Live) decay reduces the contribution of older findings to entity risk scores. This implements Google SecOps-style time-based scoring.
Decay Factor Sliders
Configure how much weight findings receive based on their age:
| Time Window | Default | Description |
|---|---|---|
| 0-24 hours | 1.0 | Full weight for recent findings |
| 1-3 days | 0.7 | Findings contribute 70% of their score |
| 3-5 days | 0.4 | Findings contribute 40% of their score |
| 5-7 days | 0.2 | Findings contribute 20% of their score |
Findings older than 7 days are automatically excluded (0% weight).
Decay Calculation
Each finding's contribution is:
Decayed Score = Raw Score × Decay FactorExample: A finding with score 100 from 4 days ago:
- Decay Factor (3-5 days) = 0.4
- Decayed Score = 100 × 0.4 = 40
Tuning Guidelines
High-Velocity SOC
For environments processing thousands of alerts daily, use aggressive decay:
| Window | Recommended |
|---|---|
| 0-24h | 1.0 |
| 1-3d | 0.5 |
| 3-5d | 0.2 |
| 5-7d | 0.1 |
This keeps focus on today's threats.
Compliance-Focused
For environments requiring longer visibility windows:
| Window | Recommended |
|---|---|
| 0-24h | 1.0 |
| 1-3d | 0.9 |
| 3-5d | 0.7 |
| 5-7d | 0.5 |
This maintains historical context for audit purposes.
Investigation-Heavy
For teams doing deep investigations:
| Window | Recommended |
|---|---|
| 0-24h | 1.0 |
| 1-3d | 0.8 |
| 3-5d | 0.6 |
| 5-7d | 0.4 |
Balanced approach for investigation workflows.
Reset to Defaults
Click "Reset to Defaults" to restore the standard decay configuration:
- 0-24h: 1.0
- 1-3d: 0.7
- 3-5d: 0.4
- 5-7d: 0.2
Understanding the Impact
Risk Table Display
After configuring decay, the Risk Analytics table shows:
| Column | Source |
|---|---|
| 24h Score | Decayed sum of findings from last 24 hours |
| 7d Score | Decayed sum of findings from last 7 days |
| Findings | Count shown as "24h / 7d" |
Score Comparison
Hover over any score to see the tooltip comparing:
- Decayed Score: What's displayed (with decay applied)
- Raw Score: Original sum without decay
Common Scenarios
Scenario 1: All findings from yesterday
- 24h Score: 0 (no findings in last 24 hours)
- 7d Score: [decayed total] (findings from 1-3 days ago × 0.7)
Scenario 2: Burst of activity 5 days ago
- 24h Score: 0
- 7d Score: Low (5-7 day findings × 0.2)
Scenario 3: Ongoing active threat
- 24h Score: High (recent findings × 1.0)
- 7d Score: Higher (includes recent + older decayed findings)
API Reference
Get Risk Weight
GET /api/settings/risk
Response:
{
"risk_weight": 0.5
}Update Risk Weight
PUT /api/settings/risk
Content-Type: application/json
{
"risk_weight": 0.75
}Get Decay Configuration
GET /api/settings/risk-decay
Response:
{
"decay_0_24h": 1.0,
"decay_1_3d": 0.7,
"decay_3_5d": 0.4,
"decay_5_7d": 0.2
}Update Decay Configuration
PUT /api/settings/risk-decay
Content-Type: application/json
{
"decay_0_24h": 1.0,
"decay_1_3d": 0.7,
"decay_3_5d": 0.4,
"decay_5_7d": 0.2
}Validation:
- All values must be between 0.0 and 1.0
- All four fields are required
Permissions
Managing risk settings requires the risk:configure permission. Users with this permission can:
- Adjust global risk weight
- Configure TTL decay factors
- Reset settings to defaults
View-only access to the Risk Analytics page requires the risk:view permission.