LogSentinel SIEM automatically creates a risk score for each detected actor (user or entity). The risk score is available from the Threat hunting > Risk scoring menu.
The risk score is a number from 0 to 100 and is based on the following behavior parameters:
- total actions performed by the user
- the number of different (distinct) actions performed by the user
- the distinct IP addresses associated with their actions
- the countries that are associated with the user activity
- the distinct computers used by the user (per ActiveDirectory logs)
- the number of error (or above) events associated with the user
- the number of privileged actions performed
- the number of threat intelligence (IoC) matches for events associated with the user
All of those details are shown for the users with the highest risk scores. Users are sorted by risk score to allow for quicker investigation.
Clicking on the userId/display name opens the user activity panel where detailed investigation can be performed.