Event risk score calculation

    Event score calculation plays a vital role in helping security analysts and IT teams quickly assess the severity of an event and prioritize which ones to investigate or respond to first. In environments where hundreds or thousands of events are generated every day, having a calculated score helps cut through the noise and focus on what truly matters. By assigning a numerical score to each event, the system gives you a clear indication of its potential impact or threat level. Higher scores typically signal more critical or suspicious activity that may require immediate attention.

    How event score is calculated

    The event score is computed using a weighted model that considers four key factors. Each factor adds context to the event, helping define how urgent or dangerous it might be.

    1. Rule priority

    Every event is tied to a rule that was violated. Rules are predefined based on the severity of behavior they detect . For example, a rule that detects lateral movement or port scan is more serious than one that detects a excess broadcast/networkcast flows.

    • Why it matters: A high-priority rule signals a more critical threat.
    • Weight: This factor carries the highest weight in the score.

    2. Number of offenders

    This factor reflects how many unique entities (such as IP addresses, users, or devices) are involved in the event.

    • Why it matters: A single IP triggering an alert might be less concerning than multiple IPs or users triggering the same alert, which may suggest a coordinated attack.
    • Example: If 15 devices suddenly connect to a suspicious domain, it suggests a broader issue compared to a single device.

    3. Threshold violation

    Each rule has a ML-based threshold — a limit that, when crossed, indicates unusual activity. This factor captures how far an event has surpassed that threshold.

    • Why it matters: The more an event exceeds the defined threshold, the more impactful or unusual it is likely to be.
    • Example: A rule may be set to trigger if an asset tries to ping 10 IPs. If the same asset pings 100 IPs in the network for discovery purposes, the violation is 10x the threshold, signalling higher risk.

    4. Time decay factor

    Older events are typically less relevant than recent ones. This factor ensures that newer events are given higher priority over time, helping security teams focus on active or emerging issues.

    • Why it matters: It prevents outdated events from clogging dashboards and ensures focus stays on what’s happening now.
    • Example: An event from 10 minutes ago might have a higher score than a similar event from 3 days ago, even if other conditions are the same.

     

     

    Thank you for your feedback!

    Was this content helpful?

    We are sorry. Help us improve this page.

    How can we improve this page?
    Do you need assistance with this topic?
    By clicking "Submit", you agree to processing of personal data according to the Privacy Policy.