Risk Insights

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Overview

Cloud SIEM’s Risk Insights consolidates multiple data sources, such as SIEM threats and Cloud Security insights, into a profile representing a single security entity, such as an IAM user.

With Risk Insights, you can:

  • Explore entities, filtering them by attributes such as risk score severity and configuration risks.
  • View all data relevant to an entity, such as signals, misconfigurations, and identity risks.
  • Triage relevant items in bulk.
  • Take mitigation steps such as creating a global suppression or creating a case for an entity.

Prerequisites

Explore risk insights

Query and filter entities

On the Risk Insights Explorer, you can view all entities that have a non-zero risk score associated to them.

A list of entities and their risk scores in the Risk Insights Explorer

Quickly build context on an entity

Click an entity in the Explorer to open the entity side panel.

The side panel for an entity

The What Happened section of the panel summarizes the count of signals, misconfigurations, and identity risks and how they have contributed to the risk score, as well as any potential configuration risks.

The What contributes to the score section displays the list of fired signals, relevant misconfigurations, and identity risks.

Triage and mitigate threats in bulk

The Next steps section of the entity side panel includes the available mitigation steps for SIEM signals, misconfigurations, and identity risks.

The available next steps for an entity as shown in the entity side panel

Risk scoring

An entity’s risk score approximates the entity’s risk level over the past 14 days of activity.

The risk score is calculated from the characteristics of the entity’s associated signals, such as the severity level of the signal and how many times the signal has fired.

Signal’s score impact

Each signal has a score impact. You can see a signal’s score impact in the entity panel.

Note: A signal’s score impact lasts for 2 weeks, after which the score drops to 0.

Signal SeverityNumber of points
Critical100
High50
Medium5
Low and Info0

Entity’s severity threshold

The severity threshold of an entity is calculated by adding up the score impact for all signals associated with the entity.

Entity’s Severity ThresholdSum of the score impact for all related signals
CriticalGreater than or equal to 100.
HighGreater than or equal to 50 and less than 100.
MediumGreater than or equal to 25 and less than 50.
LowGreater than or equal to 10 and less than 25.
InfoLess than 10.

Further reading

추가 유용한 문서, 링크 및 기사:

Accelerate investigations with Datadog Cloud SIEM Risk-based Insights and AWS Entity AnalyticsBLOG more more