Risk Based Priority Calculator
Given the high volume of logs collected per day at even small organizations, security analysts commonly experience “alarm fatigue”—they receive too many alarms, and those alarms are often not correctly prioritized. In these situations, the number of events and alarms that require investigation can quickly grow beyond the capacity of what security analysts at the organization can investigate during a workday.
The LogRhythm Risk-Based Priority (RBP) Calculator feature supports analysts by determining RBP for the Message Processing Engine (MPE) and AI Engine (AIE) based on factors such as Source Threat Level (STL), Destination Risk Level (DRL), message class, Common Event, AIE Rule, environmental influencers, and AIE Rule and Host influencers. The resulting RBP rating helps prioritize generated events and alarms based on the risk they present to the organization. This prompts analysts to investigate the highest-risk alarms first, and enables managers to specify minimum operational thresholds—such as a “zero alarm inbox” philosophy—for all alarms with RBP greater than a specified level.
RBP Calculation Criteria
To calculate an overall priority for MPE Events, LogRhythm gathers the following information:
- Origin Host (Source) Threat Level (STL): can be known, unknown, or default (internal or external)
- Impacted Host (Destination) Risk Level (DRL): can be known, unknown, or default (internal or external)
- Origin Network
- Impacted Network
- Message Classification
- Common Event
- Global Weights for the above values
To calculate an overall priority for AIE Events, LogRhythm gathers the following information:
- Origin Host (Source) Threat Level (STL): can be known, unknown, or default (internal or external)
- Impacted Host (Destination) Risk Level (DRL): can be known, unknown, or default (internal or external)
- Origin Network
- Impacted Network
- AIE Rule
- Risk Rating
- False Positive Probability
- Global Weights for above values
- Influencer
- Balanced
- Rule Risk Rating
- Impacted Host
In addition to factors from the log message and MPE/AIE Rules, global RBP settings are also applied. Each factor in the list has a weight value, and there are three different settings for the AIE RBP calculation:
- Rule Risk Rating influence
- Impacted Host influence
- Balanced—a blend of the first two settings
Finally, there are global (internal and external) defaults for the Origin Host and Impacted Host threat and risk levels, as well as fallback methods for setting risk and threat levels. If there is no level set on the host, then risk falls back to the network level. If there is no network level, then risk falls back to the global defaults—internal or external, based on the host address.
RBP Calculator v 1.0.0 Release Notes
| Known Issues | |
|---|---|
| Priority | Description |
| Medium | Add Active Directory login capability to RBP Calculator. |
| Low | New host not populated when cached, even after reset. |
| Low | Distortion in UI. |
| Low | Unable to select Common Event for Classification Audit/AccessFailure when toggling between MPE RBP and AIE RBP. |
| Low | Improvement: Change UAC Label from RBPCalc. |