- In the Client Console, click Deployment Manager, and then click Entities.
- Do one of the following to determine the Destination Risk Level (DRL) and Source Threat Level (STL) for the Origin Host and Impacted Host:
- For a known host, look at the Entity Hosts grid on the bottom of the window. The DRL is the value in Risk Level column and the STL is the value in the Threat Level column.
- For an unknown host, look at the Entity Networks grid on the top of the window. Use the IP address to determine whether the host is in a Known Network range.
- If the IP address is in the Known Network range, then the DRL is the value in Risk Level column and the STL is the value in the Threat Level column.
- If the IP address is not in the Known Network range, then use the IP address to determine if the host is internal or external, and then use the appropriate global default DRL/STL.
The IP address is determined to be internal (private) if it is in one of the ranges that follows. If the IP is not in one of these ranges, it is determined to be external (public).
Obtain the Message Classification risk rating from the following table.
Sub-Class Rating Audit 1 Audit/Authentication Success 0 Audit/Authentication Failure 3 Audit/Access Success 0 Audit/Access Failure 5 Audit/Account Created 2 Audit/Account Deleted 0 Audit/Other Audit Success 0 Audit/Account Modified 2 Audit/Access Granted 2 Audit/Access Revoked 0 Audit/Startup and Shutdown 0 Audit/Policy 0 Audit/Configuration 0 Audit/Other Audit Failure 4 Audit/Other 0 Security 3 Security/Reconnaissance 1 Security/Suspicious 5 Security/Misuse 2 Security/Attack 9 Security/Malware 6 Security/Denial of Service 7 Security/Compromise 9 Security/Vulnerability 5 Security/Failed Attack 0 Security/Failed Denial of Service 0 Security/Failed Malware 0 Security/Failed Suspicious 0 Security/Failed Misuse 0 Security/Failed Activity 0 Security/Activity 0 Security/Other 3 Operations 2 Ops/Critical 9 Ops/Error 7 Ops/Warning 5 Ops/Information 1 Ops/Network Allow 0 Ops/Network Deny 3 Ops/Network Traffic 0 Ops/Other 2
Open SQL Server, and obtain the Common Event Risk Rating. Query the LogRhythm EMDB CommonEvent table for the Name field that matches the Common Event of the log, as determined by the log source type and MPE rule.
- Determine the weights of the values above from the Global RBP settings.
- In the Client Console, click Deployment Manager, and then click Platform Manager.
Apply the values to the MPE RBP formula.
The MPE RBP formula is RBP = (CRRp + ERRp + DRTp + STLp) / MaxPossibleRiskPoints × 100.
CRRp = Classification Risk Points = Class Relative Risk Rating × Class Weight
ERRp = Event Risk Rating Points = Event Risk Rating × Risk Rating Weight
DRTp = Destination Risk Rating Points = Destination Risk Threshold Points × DRT Weight
STLp = Source Threat Rating Points = Source Threat Threshold Points × STL Weight
MaxPossiblePoints = (ClassWt × MAX_CRR) + (EventWt × MAX_ERR) + (STLWt × MAX_STL) + (DRLWt × MAX_DRL)
(Here, MAX_CRR = MAX_ERR = MAX_STL = MAX_DRL = 9)