The Global Risk Based Priority (RBP) threshold represents the minimum RBP of events that you want to monitor. The 100-point RBP scale provides a relative measure of an event’s risk to help you prioritize analysis and response efforts. By default, all events are stored online and are searchable, even if they are not forwarded to the Platform Manager according to Global RBP.

There are four fields that let you further customize RBP settings: AIE RBP SettingsDefault Destination Risk Level (MPE/AIE)Default Source Threat Level (MPE/AIE), and MPE RBP Settings. These settings work with the Global RBP to customize the priority of logs coming through, and whether they are treated as Events.

Risk-Based Priority Definitions

AbbreviationDefinition
BCRBase-Class Risk Rating, (Audit: 1, Ops: 2, Security: 3)
CRClassification Risk
CRRClassification Risk Rating
CWClassification Weight (Default is 5, set in Mediator Advanced Properties)
DRLDestination Risk Level (set in Host, Basic Information tab)
DWDestination Weight (Default is 5, Set in Mediator Advanced Properties)
EREvent Risk (Risk Rating value set in MPE Policy Rule Editor)
ERREvent Risk Rating
EWEvent Weight (Default is 5, Set in Mediator Advanced Properties)
FAFalse Alarm Rating (set in MPE Properties)
FWFalse Alarm Weight (Default is 5, set in Mediator Advanced Properties)
MAXMax Classification Rating = 27 (9 is the highest SCR * 3 is the highest BCR)
RBPRisk-Based Priority
RPRisk Points
SCRSub-Class Risk Rating
STLSource Threat Level (set in Host, Threat Level tab)
SWSource Weight (Default is 5, Set in Mediator Advanced Properties)
TAPTotal Available Points: 9 * (CW + EW + SW + DW) = 180 (by default)

AIE RBP Calculation

To calculate an overall priority for AIE Events, LogRhythm gathers the following information:

  • Origin Host (Source) Threat Level (STL): can be known, unknown, or default (internal or external)
  • Impacted Host (Destination) Risk Level (DRL): can be known, unknown, or default (internal or external)
  • Origin Network
  • Impacted Network
  • AIE Rule
    • Risk Rating
    • False Positive Probability
  • Global Weights for above values
  • Influencer
    • Balanced
    • Rule Risk Rating
    • Impacted Host

Destination Risk Level (DRL) Calculation (AIE or MPE)

  • If the log was resolved to a Known Impacted Host, the Host Risk Level assigned the Host record is used.

    DRL = Host Risk Level for Known Impacted Host

  • If an IP was parsed, network resolution is performed. If a Network is found, the Network Risk Level is used.

    DRL = Risk Level of Resolved Network based on Known Impacted Host IP Address

  • If a Risk Level cannot be determined via a Known Host or Network

    DRL = Default Risk Level as defined in the Platform Manager, in the Global Risk Based Priority section under Default Destination Risk Level (MPE/AIE)

Source Threat Level (STL) Calculation (AIE or MPE)

  • If the log was resolved to a Known Origin Host, the value assigned the Host record for Threat Level is used.

    STL = Threat Level for Known Origin Host

  • If an IP was parsed, network resolution is performed. If a Network is found, the Network Risk Level is used.

    STL = Risk Level of Resolved Network based on Known Origin Host IP Address

  • If a Risk Rating cannot be determined via a Known Host or Network

    STL = Default Threat Level as defined in the Platform Manager, in the Global Risk Based Priority section under Default Source Threat Level (MPE/AIE)

MPE RBP Calculation

To calculate an overall priority for MPE Events, LogRhythm gathers the following information:

  • Origin Host (Source) Threat Level (STL): can be known, unknown, or default (internal or external)
  • Impacted Host (Destination) Risk Level (DRL): can be known, unknown, or default (internal or external)
  • Origin Network
  • Impacted Network
  • Message Classification
  • Common Event
  • Global Weights for the above values

Additional Factors

In addition to factors from the log message and MPE/AIE Rules, global RBP settings are also applied. Each factor in the list has a weight value, and there are three different settings for the AIE RBP calculation:

  • Rule Risk Rating influence
  • Impacted Host influence
  • Balanced—a blend of the first two settings

Finally, there are global (internal and external) defaults for the Origin Host and Impacted Host threat and risk levels, as well as fallback methods for setting risk and threat levels. If there is no level set on the host, then risk falls back to the network level. If there is no network level, then risk falls back to the global defaults—internal or external, based on the host address.

Risk-Based Priority Host Levels

DRL. Host Risk Level represents the amount of risk developed if the system were to become compromised or the subject of some other issue. A value of 0 means no risk is involved in the loss of this system; a value of 9 means the most risk will be incurred if an issue arises. This is relevant when this host is the impacted system, target, or is acted upon by external forces.

STL. The Host Threat Level designates the amount of threat that is developed if the system were to be the origin of actions. A value of 0 means that actions originating from this host are of little cause for alarm or are possibly commonplace, and a value of 9 means that this system should not be the source of outgoing actions and that there is the greatest threat to security if such events are observed.

Risk-Based Priority Network Levels

DRLNetwork Risk Level represents the amount of risk developed if the network were to become compromised or the subject of some other issue. A value of 0 means no risk is involved in the loss of this network, a value of 9 means the most risk is incurred if an issue arises. This is relevant when this network is the impacted network, target, or is acted upon by external forces. 

STL. The Network Threat Level designates the degree of threat when the network is the origin of actions. A value of 0 means that actions originating from this network are of little cause for alarm or are possibly commonplace. A value of 9 means that this network should not be the source of outgoing actions and that there is the greatest threat to security if such events are observed.