Entity risk scoring requirements

To use entity risk scoring and asset criticality, you need the appropriate user roles. These features require the Security Analytics Complete project feature.

This page covers the requirements for using the entity risk scoring and asset criticality features, as well as their known limitations.

Entity risk scoring

edit

User rolesedit

To turn on the risk scoring engine, you need either the appropriate predefined Security user role or a custom role with the right privileges:

Predefined roles

Platform engineer
Detections admin
Admin

Custom role privileges

Cluster	Index	Kibana
`manage_index_templates` `manage_transform`	`all` privilege for `risk-score.risk-score-*`	Read for the Security feature

Known limitationsedit

The risk scoring engine uses an internal user role to score all hosts and users. After you turn on the risk scoring engine, all alerts in the project will contribute to host and user risk scores.
You cannot customize alert data views or risk weights associated with alerts and asset criticality levels.

Asset criticality

edit

User rolesedit

To use asset criticality, you need either the appropriate predefined Security user role or a custom role with the right privileges:

Predefined roles

Action	Predefined role
View asset criticality	Viewer Tier 1 analyst
View, assign, change, or unassign asset criticality	Editor Tier 2 analyst Tier 3 analyst Threat intelligence analyst Rule author SOC manager Endpoint operations analyst Platform engineer Detections admin Endpoint policy manager

Custom role privileges

Custom roles need the following privileges for the .asset-criticality.asset-criticality-<space-id> index:

Action	Index privilege
View asset criticality	`read`
View, assign, or change asset criticality	`read` and `write`
Unassign asset criticality	`delete`

« Entity risk scoring Asset criticality »