Entity risk scoring requirements

edit

To use entity risk scoring and asset criticality, you need the appropriate user roles. These features require the Security Analytics Complete project feature.

This page covers the requirements for using the entity risk scoring and asset criticality features, as well as their known limitations.

Entity risk scoring
edit
User rolesedit

To turn on the risk scoring engine, you need either the appropriate predefined Security user role or a custom role with the right privileges:

Predefined roles

  • Platform engineer
  • Detections admin
  • Admin

Custom role privileges

Cluster Index Kibana
  • manage_index_templates
  • manage_transform

all privilege for risk-score.risk-score-*

Read for the Security feature

Known limitationsedit
  • The risk scoring engine uses an internal user role to score all hosts and users. After you turn on the risk scoring engine, all alerts in the project will contribute to host and user risk scores.
  • You cannot customize alert data views or risk weights associated with alerts and asset criticality levels.
Asset criticality
edit
User rolesedit

To use asset criticality, you need either the appropriate predefined Security user role or a custom role with the right privileges:

Predefined roles

Action Predefined role

View asset criticality

  • Viewer
  • Tier 1 analyst

View, assign, change, or unassign asset criticality

  • Editor
  • Tier 2 analyst
  • Tier 3 analyst
  • Threat intelligence analyst
  • Rule author
  • SOC manager
  • Endpoint operations analyst
  • Platform engineer
  • Detections admin
  • Endpoint policy manager

Custom role privileges

Custom roles need the following privileges for the .asset-criticality.asset-criticality-<space-id> index:

Action Index privilege

View asset criticality

read

View, assign, or change asset criticality

read and write

Unassign asset criticality

delete