Skip to content

Risk Scoring Model

RhythmX uses a 7-factor weighted risk model to calculate a single 0–100 integer risk score for every actor (user, host, or IP) in the environment. The score drives risk tiering, SLA targets, incident creation, and automated ticket escalation — ensuring that the most dangerous threats surface first.

How Risk Scoring Works

flowchart TD
    LR["<b>LogRhythm SIEM</b><br><i>Alarms</i>"] --> ACS["<b>Actor Cache Sync</b><br><i>Periodic recalculation</i>"]
    SIG["<b>RhythmX Engine</b><br><i>RhythmX Rules + Correlation</i>"] --> ACS

    ACS --> TC["<b>Threat Cases</b><br>30%"]
    ACS --> SA["<b>RhythmX Alerts</b><br>20%"]
    ACS --> VOL["<b>Volume</b><br>10%"]
    ACS --> VEL["<b>Velocity</b><br>10%"]
    ACS --> DIV["<b>Diversity</b><br>10%"]
    ACS --> MIT["<b>MITRE ATT&CK</b><br>10%"]
    ACS --> REC["<b>Recency</b><br>10%"]

    TC --> FS["<b>Final Risk Score</b><br>0 – 100"]
    SA --> FS
    VOL --> FS
    VEL --> FS
    DIV --> FS
    MIT --> FS
    REC --> FS

    FS --> RL["<b>Risk Level</b><br>Critical · High · Medium · Low"]

    style LR fill:#0d47a1,stroke:#42a5f5,color:#fff
    style SIG fill:#7b1fa2,stroke:#ce93d8,color:#fff
    style ACS fill:#1a237e,stroke:#534bae,color:#fff
    style TC fill:#b71c1c,stroke:#ef5350,color:#fff
    style SA fill:#c62828,stroke:#ef9a9a,color:#fff
    style VOL fill:#e65100,stroke:#ff9800,color:#fff
    style VEL fill:#ef6c00,stroke:#ffb74d,color:#fff
    style DIV fill:#f57f17,stroke:#ffee58,color:#fff
    style MIT fill:#00695c,stroke:#4db6ac,color:#fff
    style REC fill:#00838f,stroke:#4dd0e1,color:#fff
    style FS fill:#880e4f,stroke:#f06292,color:#fff
    style RL fill:#1b5e20,stroke:#66bb6a,color:#fff

Score Formula

Each factor produces a 0–100 component score, then all seven are combined using fixed weights:

flowchart LR
    subgraph RhythmX["<b>RhythmX Intelligence — 50%</b>"]
        TC["Threat Cases<br><b>× 0.30</b>"]
        SA["RhythmX Alerts<br><b>× 0.20</b>"]
    end

    subgraph LogRhythm["<b>LogRhythm Behavioral — 10%</b>"]
        DIV["Diversity<br><b>× 0.10</b>"]
    end

    subgraph Combined["<b>Combined Sources — 40%</b>"]
        VOL["Volume<br><b>× 0.10</b>"]
        VEL["Velocity<br><b>× 0.10</b>"]
        MIT["MITRE ATT&CK<br><b>× 0.10</b>"]
        REC["Recency<br><b>× 0.10</b>"]
    end

    TC --> SUM["<b>Σ Weighted Sum</b><br>= Final Score<br><i>0 – 100</i>"]
    SA --> SUM
    VOL --> SUM
    VEL --> SUM
    DIV --> SUM
    MIT --> SUM
    REC --> SUM

    style RhythmX fill:#4a148c,stroke:#9c27b0,color:#fff
    style LogRhythm fill:#0d47a1,stroke:#42a5f5,color:#fff
    style Combined fill:#00695c,stroke:#4db6ac,color:#fff
    style TC fill:#7b1fa2,stroke:#ce93d8,color:#fff
    style SA fill:#7b1fa2,stroke:#ce93d8,color:#fff
    style VOL fill:#00897b,stroke:#80cbc4,color:#fff
    style VEL fill:#00897b,stroke:#80cbc4,color:#fff
    style DIV fill:#1565c0,stroke:#64b5f6,color:#fff
    style MIT fill:#00796b,stroke:#80cbc4,color:#fff
    style REC fill:#00796b,stroke:#80cbc4,color:#fff
    style SUM fill:#b71c1c,stroke:#ef5350,color:#fff

The 7 Factors

1. Threat Cases — 30% (RhythmX)

The highest-weighted factor. Measures active correlated threat cases involving this actor — attack patterns detected by RhythmX's sigma-case-correlation engine (lateral movement, ransomware, brute force, etc.).

flowchart LR
    subgraph Input["<b>Active Threat Cases</b>"]
        C0["0 cases"]
        C1["1 case"]
        C2["2 cases"]
        C3["3+ cases"]
    end

    C0 --> S0["Score: <b>0</b>"]
    C1 --> S1["Score: <b>40</b>"]
    C2 --> S2["Score: <b>60</b>"]
    C3 --> S3["Score: <b>80</b>"]

    S1 --> BOOST["<b>+ Severity Boost</b><br>Low: +5 · Med: +10<br>High: +15 · Crit: +20"]
    S2 --> BOOST
    S3 --> BOOST

    BOOST --> CAP["Capped at <b>100</b>"]

    style Input fill:#1a237e,stroke:#534bae,color:#fff
    style C0 fill:#37474f,stroke:#78909c,color:#fff
    style C1 fill:#e65100,stroke:#ff9800,color:#fff
    style C2 fill:#d84315,stroke:#ff7043,color:#fff
    style C3 fill:#b71c1c,stroke:#ef5350,color:#fff
    style S0 fill:#37474f,stroke:#78909c,color:#fff
    style S1 fill:#e65100,stroke:#ff9800,color:#fff
    style S2 fill:#d84315,stroke:#ff7043,color:#fff
    style S3 fill:#b71c1c,stroke:#ef5350,color:#fff
    style BOOST fill:#4a148c,stroke:#9c27b0,color:#fff
    style CAP fill:#880e4f,stroke:#f06292,color:#fff

Threat cases carry the most weight because correlated attack patterns spanning multiple alerts are the strongest signal of a real attack in progress.

2. RhythmX Alerts — 20% (RhythmX)

Individual RhythmX rule matches from the RhythmX Rules detection pipeline. The score combines three sub-signals:

flowchart TD
    subgraph AlertCount["<b>Alert Count → Base Score</b>"]
        A1["1 – 5 alerts → <b>20</b>"]
        A2["6 – 15 alerts → <b>40</b>"]
        A3["16 – 30 alerts → <b>60</b>"]
        A4["30+ alerts → <b>75</b>"]
    end

    subgraph RuleDiv["<b>Rule Diversity Boost</b>"]
        R1["2 rules → <b>+5</b>"]
        R2["3 – 4 rules → <b>+10</b>"]
        R3["5+ rules → <b>+15</b>"]
    end

    subgraph SevBoost["<b>Severity Boost</b>"]
        SV1["1 – 4 high/crit → <b>+5</b>"]
        SV2["5+ high/crit → <b>+10</b>"]
    end

    AlertCount --> SUM["<b>Sum All</b><br>Capped at 100"]
    RuleDiv --> SUM
    SevBoost --> SUM

    style AlertCount fill:#4a148c,stroke:#9c27b0,color:#fff
    style RuleDiv fill:#00695c,stroke:#4db6ac,color:#fff
    style SevBoost fill:#b71c1c,stroke:#ef5350,color:#fff
    style A1 fill:#6a1b9a,stroke:#ab47bc,color:#fff
    style A2 fill:#6a1b9a,stroke:#ab47bc,color:#fff
    style A3 fill:#6a1b9a,stroke:#ab47bc,color:#fff
    style A4 fill:#6a1b9a,stroke:#ab47bc,color:#fff
    style R1 fill:#00796b,stroke:#80cbc4,color:#fff
    style R2 fill:#00796b,stroke:#80cbc4,color:#fff
    style R3 fill:#00796b,stroke:#80cbc4,color:#fff
    style SV1 fill:#c62828,stroke:#ef9a9a,color:#fff
    style SV2 fill:#c62828,stroke:#ef9a9a,color:#fff
    style SUM fill:#880e4f,stroke:#f06292,color:#fff

3. Volume — 10% (Combined: SIEM + RhythmX)

The actor's total detection event count (SIEM alarms + RhythmX alerts combined) relative to all other actors in the environment, expressed as a percentile ranking. If an actor has more total events than 90% of all actors, the volume score is 90.

Combined Event Count

Volume combines both LogRhythm SIEM alarms and RhythmX Sigma detections into a single event count. This ensures actors with only Sigma detections (no SIEM alarms) still contribute to volume scoring.

4. Velocity — 10% (Combined: SIEM + RhythmX)

Total detection events per hour of activity, measuring the rate at which events fire for this actor. Combines SIEM alarms and RhythmX alerts for a complete picture.

flowchart LR
    COUNT["Total Events<br>(SIEM + Sigma)"] --> CALC["<b>velocity</b> = events ÷ hours<br><i>minimum 1 hour</i>"]
    HOURS["Hours Active"] --> CALC
    CALC --> SCORE["<b>score</b> = velocity × 10<br><i>capped at 100</i>"]

    SCORE --> E1["1/hr → <b>10</b>"]
    SCORE --> E2["5/hr → <b>50</b>"]
    SCORE --> E3["10+/hr → <b>100</b>"]

    style COUNT fill:#00695c,stroke:#4db6ac,color:#fff
    style HOURS fill:#00695c,stroke:#4db6ac,color:#fff
    style CALC fill:#1a237e,stroke:#534bae,color:#fff
    style SCORE fill:#4a148c,stroke:#9c27b0,color:#fff
    style E1 fill:#1b5e20,stroke:#66bb6a,color:#fff
    style E2 fill:#e65100,stroke:#ff9800,color:#fff
    style E3 fill:#b71c1c,stroke:#ef5350,color:#fff

High velocity indicates a concentrated burst of activity — often a sign of automated attacks or active exploitation.

5. Diversity — 10% (LogRhythm)

The number of unique SIEM detection rules triggered by the actor, expressed as a percentile ranking against all other actors. More diverse rule coverage indicates a broader attack pattern rather than a single noisy rule firing repeatedly.

Why Diversity stays SIEM-only

Sigma rules are already counted in the RhythmX Alerts factor (20%). Adding them to diversity would double-count. Diversity measures breadth of SIEM detection patterns specifically.

6. MITRE ATT&CK — 10% (Combined)

Combines MITRE technique and tactic coverage from both LogRhythm alarms and RhythmX alerts into a single score. Uses an absolute scale (not percentile) because sparse data makes percentile scoring unreliable.

flowchart TD
    subgraph Techniques["<b>Technique Depth → Base Score</b>"]
        T0["0 → <b>0</b>"]
        T1["1 → <b>20</b>"]
        T2["2 → <b>35</b>"]
        T3["3 – 4 → <b>50</b>"]
        T4["5 – 7 → <b>70</b>"]
        T5["8 – 10 → <b>85</b>"]
        T6["10+ → <b>95</b>"]
    end

    subgraph Tactics["<b>Tactic Breadth Bonus</b>"]
        TA1["3 – 4 tactics → <b>+10</b>"]
        TA2["5+ tactics → <b>+15</b>"]
    end

    Techniques --> FINAL["<b>Combined Score</b><br>Capped at 100"]
    Tactics --> FINAL

    style Techniques fill:#00695c,stroke:#4db6ac,color:#fff
    style Tactics fill:#e65100,stroke:#ff9800,color:#fff
    style T0 fill:#37474f,stroke:#78909c,color:#fff
    style T1 fill:#2e7d32,stroke:#66bb6a,color:#fff
    style T2 fill:#558b2f,stroke:#9ccc65,color:#fff
    style T3 fill:#f9a825,stroke:#ffee58,color:#000
    style T4 fill:#ef6c00,stroke:#ffb74d,color:#fff
    style T5 fill:#d84315,stroke:#ff7043,color:#fff
    style T6 fill:#b71c1c,stroke:#ef5350,color:#fff
    style TA1 fill:#e65100,stroke:#ff9800,color:#fff
    style TA2 fill:#bf360c,stroke:#ff8a65,color:#fff
    style FINAL fill:#880e4f,stroke:#f06292,color:#fff

7. Recency — 10% (Combined: All Sources)

How recently the actor was last seen, using the freshest timestamp across all three sources: LogRhythm alarms, RhythmX alerts, and threat case activity.

flowchart LR
    subgraph Sources["<b>Recency Input</b>"]
        S1["LR Alarm last_seen"]
        S2["Sigma Alert last_seen"]
        S3["Threat Case last_alert_time"]
    end

    S1 --> MAX["<b>max(all sources)</b><br>Freshest wins"]
    S2 --> MAX
    S3 --> MAX

    MAX --> SCORE["<b>Recency Score</b>"]

    subgraph Decay["<b>Score Decay</b>"]
        R1["≤ 1 hour → <b>100</b>"]
        R2["1 – 24 hours → <b>70 – 90</b>"]
        R3["1 – 7 days → <b>40 – 70</b>"]
        R4["7 – 30 days → <b>10 – 40</b>"]
        R5["30+ days → <b>0 – 10</b>"]
    end

    SCORE --> Decay

    style Sources fill:#1a237e,stroke:#534bae,color:#fff
    style S1 fill:#0d47a1,stroke:#42a5f5,color:#fff
    style S2 fill:#7b1fa2,stroke:#ce93d8,color:#fff
    style S3 fill:#b71c1c,stroke:#ef5350,color:#fff
    style MAX fill:#00695c,stroke:#4db6ac,color:#fff
    style SCORE fill:#4a148c,stroke:#9c27b0,color:#fff
    style Decay fill:#1a237e,stroke:#534bae,color:#fff
    style R1 fill:#b71c1c,stroke:#ef5350,color:#fff
    style R2 fill:#e65100,stroke:#ff9800,color:#fff
    style R3 fill:#f9a825,stroke:#ffee58,color:#000
    style R4 fill:#558b2f,stroke:#9ccc65,color:#fff
    style R5 fill:#37474f,stroke:#78909c,color:#fff

Why all three sources?

An actor may have a fresh threat case but no recent SIEM alarms (or vice versa). Using the freshest timestamp across all sources ensures recency always reflects the latest activity — preventing stale scores when one source goes quiet.

Data Source Breakdown

flowchart LR
    RXH["<b>RhythmX Only</b><br>RhythmX engine +<br>correlation<br><b>50% total</b>"] --> RX1["<b>Threat Cases</b><br>30%"]
    RXH --> RX2["<b>RhythmX Alerts</b><br>20%"]

    LRH["<b>LogRhythm Only</b><br>SIEM alarms<br><br><b>10% total</b>"] --> LR3["<b>Diversity</b><br>10%"]

    CBH["<b>Combined</b><br>SIEM + RhythmX<br>merged signals<br><b>40% total</b>"] --> CB1["<b>Volume</b><br>10%"]
    CBH --> CB2["<b>Velocity</b><br>10%"]
    CBH --> CB3["<b>MITRE ATT&CK</b><br>10%"]
    CBH --> CB4["<b>Recency</b><br>10%"]

    RX1 --> SCORE["<b>Final Risk Score</b><br>0 – 100"]
    RX2 --> SCORE
    LR3 --> SCORE
    CB1 --> SCORE
    CB2 --> SCORE
    CB3 --> SCORE
    CB4 --> SCORE

    style RXH fill:#7b1fa2,stroke:#ce93d8,color:#fff
    style LRH fill:#0d47a1,stroke:#42a5f5,color:#fff
    style CBH fill:#00695c,stroke:#4db6ac,color:#fff
    style RX1 fill:#9c27b0,stroke:#e1bee7,color:#fff
    style RX2 fill:#9c27b0,stroke:#e1bee7,color:#fff
    style LR3 fill:#1565c0,stroke:#64b5f6,color:#fff
    style CB1 fill:#00897b,stroke:#80cbc4,color:#fff
    style CB2 fill:#00897b,stroke:#80cbc4,color:#fff
    style CB3 fill:#00897b,stroke:#80cbc4,color:#fff
    style CB4 fill:#00897b,stroke:#80cbc4,color:#fff
    style SCORE fill:#b71c1c,stroke:#ef5350,color:#fff

RhythmX contributes the majority of the risk score (50%). Combined sources (SIEM + RhythmX) provide 40%. LogRhythm-only factors contribute 10% (diversity).

Risk Tiers

flowchart LR
    subgraph Tiers["<b>Risk Level Mapping</b>"]
        direction TB
        C["<b>Critical</b><br>80 – 100"]
        H["<b>High</b><br>60 – 79"]
        M["<b>Medium</b><br>40 – 59"]
        L["<b>Low</b><br>0 – 39"]
    end

    C --> CA["Immediate investigation<br>Active, sophisticated threat"]
    H --> HA["Significant risk<br>Prioritize for analyst review"]
    M --> MA["Moderate concern<br>Review during normal workflow"]
    L --> LA["Minimal risk<br>Routine monitoring"]

    style Tiers fill:#1a237e,stroke:#534bae,color:#fff
    style C fill:#b71c1c,stroke:#ef5350,color:#fff
    style H fill:#e65100,stroke:#ff9800,color:#fff
    style M fill:#f9a825,stroke:#ffee58,color:#000
    style L fill:#1b5e20,stroke:#66bb6a,color:#fff
    style CA fill:#c62828,stroke:#ef9a9a,color:#fff
    style HA fill:#ef6c00,stroke:#ffb74d,color:#fff
    style MA fill:#f57f17,stroke:#fff176,color:#000
    style LA fill:#2e7d32,stroke:#81c784,color:#fff

How Risk Drives Automation

The risk score is not just a display metric — it directly controls platform behavior:

flowchart TD
    RS["<b>Risk Score</b><br>0 – 100"] --> SLA["<b>SLA Targets</b>"]
    RS --> AP["<b>Auto-Push Tickets</b>"]
    RS --> IC["<b>Incident Creation</b>"]
    RS --> PQ["<b>Priority Queue</b>"]

    subgraph SLATargets["<b>Response Time SLAs</b>"]
        S1["Critical ≥ 80 → <b>2 hours</b>"]
        S2["High 60 – 79 → <b>4 hours</b>"]
        S3["Medium 40 – 59 → <b>24 hours</b>"]
        S4["Low < 40 → <b>48 hours</b>"]
    end

    subgraph AutoPush["<b>Ticket Integration</b>"]
        T1["Jira / ServiceNow<br><i>Created on ESCALATED + stability</i>"]
    end

    subgraph IncidentCreate["<b>Auto-Incident Rules</b>"]
        I1["Path A: Active threat cases<br><i>Immediate — no time filter</i>"]
        I2["Path B: Score ≥ 70<br><i>No time filter — recency is in the score</i>"]
    end

    subgraph Queue["<b>SOC Dashboard</b>"]
        P1["Ranked investigation queue<br><i>Highest risk first</i>"]
    end

    SLA --> SLATargets
    AP --> AutoPush
    IC --> IncidentCreate
    PQ --> Queue

    style RS fill:#b71c1c,stroke:#ef5350,color:#fff
    style SLA fill:#4a148c,stroke:#9c27b0,color:#fff
    style AP fill:#0d47a1,stroke:#42a5f5,color:#fff
    style IC fill:#e65100,stroke:#ff9800,color:#fff
    style PQ fill:#00695c,stroke:#4db6ac,color:#fff
    style SLATargets fill:#1a237e,stroke:#534bae,color:#fff
    style S1 fill:#c62828,stroke:#ef9a9a,color:#fff
    style S2 fill:#ef6c00,stroke:#ffb74d,color:#fff
    style S3 fill:#f57f17,stroke:#fff176,color:#000
    style S4 fill:#2e7d32,stroke:#81c784,color:#fff
    style AutoPush fill:#1a237e,stroke:#534bae,color:#fff
    style T1 fill:#1565c0,stroke:#64b5f6,color:#fff
    style IncidentCreate fill:#1a237e,stroke:#534bae,color:#fff
    style I1 fill:#d84315,stroke:#ff7043,color:#fff
    style I2 fill:#e65100,stroke:#ff9800,color:#fff
    style Queue fill:#1a237e,stroke:#534bae,color:#fff
    style P1 fill:#00796b,stroke:#80cbc4,color:#fff

Incident Creation

Incidents are automatically created through two paths:

  • Path A — Threat Cases (Immediate): Any actor with active threat cases qualifies immediately — no time filter, no risk threshold required. Even a risk score of 30 with 1 threat case creates an incident (in MONITORING state).
  • Path B — Risk Score: Risk score ≥ 70 qualifies the actor. No time filter — the recency factor (10%) already handles freshness within the score itself.

See Incident Management for the full incident lifecycle including system states, ticket sync, and analyst workflow.

Incident System States

Once created, incidents progress through states based on risk score and threat case count:

State Condition Ticket Meaning
MONITORING 1 case OR risk 30-39 No ticket Watching, not enough evidence
ACTIVE 2+ cases OR risk 40-69 No ticket Real threat, needs attention
ESCALATED 3+ cases OR risk ≥ 70 Ticket created (after stability check) High priority, act now
RESOLVED No activity 24h + no cases Ticket closed Threat passed

Incident Time Classification

Every incident is classified by activity recency:

Type Condition Ticket Behavior
ACTIVE Last activity < 1 hour Ticket created normally
RECENT Last activity < 24 hours OR open threat cases with activity < 48h Ticket created with "monitor closely" warning
HISTORICAL Last activity ≥ 24 hours, no recent cases Ticket skipped — no noise for old activity

Attack Trend

Each incident tracks whether the threat is getting worse or better:

Trend Meaning Indicator
⬆ ACCELERATING Risk increased by 5+ since last cycle Threat is growing
⬇ COOLING Risk decreased by 5+ Threat is subsiding
➡ STABLE Risk roughly unchanged No significant change

Score Breakdown — What Analysts See

When an analyst clicks the risk score badge on any actor card, the platform displays the full 7-factor breakdown:

flowchart TD
    subgraph Breakdown["<b>Actor: jsmith — Risk Score 63 (High)</b>"]
        direction TB
        F1["<b>Threat Cases</b><br>65 / 100 · 30%<br><i>2 active cases, max severity: high</i>"]
        F2["<b>RhythmX Alerts</b><br>55 / 100 · 20%<br><i>12 alerts from 4 rules, 2 high sev</i>"]
        F3["<b>Volume</b><br>82 / 100 · 10%<br><i>47 alarms + 12 sigma = 59 events (top 18%)</i>"]
        F4["<b>Velocity</b><br>30 / 100 · 10%<br><i>3.0 events/hour</i>"]
        F5["<b>Diversity</b><br>71 / 100 · 10%<br><i>8 unique SIEM rules triggered</i>"]
        F6["<b>MITRE ATT&CK</b><br>80 / 100 · 10%<br><i>6 techniques, 3 tactics</i>"]
        F7["<b>Recency</b><br>90 / 100 · 10%<br><i>Last seen: 4 hours ago (from threat case)</i>"]
    end

    style Breakdown fill:#1a237e,stroke:#534bae,color:#fff
    style F1 fill:#c62828,stroke:#ef9a9a,color:#fff
    style F2 fill:#d84315,stroke:#ff7043,color:#fff
    style F3 fill:#e65100,stroke:#ff9800,color:#fff
    style F4 fill:#2e7d32,stroke:#81c784,color:#fff
    style F5 fill:#ef6c00,stroke:#ffb74d,color:#fff
    style F6 fill:#c62828,stroke:#ef9a9a,color:#fff
    style F7 fill:#b71c1c,stroke:#ef5350,color:#fff

This transparency allows analysts to understand why an actor is scored the way it is and which data sources are contributing the most.

Real-World Example

Actor: win-a47ao603la4 (host) — Risk Score 98 (CRITICAL)

This host has active threat cases, many RhythmX detections, high combined event volume, and broad MITRE coverage:

Factor Raw Score Weight Contribution What drove it
Threat Cases 100 × 0.30 30 16 active cases (APT_CHAIN + PASSWORD_SPRAYING), CRITICAL severity
RhythmX Detections 100 × 0.20 20 397 detections across 8 rules, 17 high-severity
Volume 100 × 0.10 10 39,812 alarms + 397 sigma = 40,209 events (top 1%)
Velocity 100 × 0.10 10 19 events/hour
Diversity 100 × 0.10 10 Top percentile (1 dominant SIEM rule)
MITRE Coverage 100 × 0.10 10 8 techniques across 9 tactics
Recency 84 × 0.10 8 Last seen ~1 day ago
Total 98

Maximum Scores by Deployment Scenario

Not every deployment has a SIEM connected. The risk score adapts based on available data:

Scenario Max Possible Score Why
Full stack (SIEM + RhythmX + threat cases) 100 All 7 factors can max out
No SIEM (RhythmX + threat cases) 80 Volume/Velocity from sigma only, Diversity = 0. MITRE + Recency from RhythmX
No threat cases (SIEM + RhythmX detections) 70 Threat Cases = 0. All other factors can max
No SIEM + no threat cases (RhythmX detections only) 50 RhythmX Detections (20) + Volume/Velocity from sigma (10+10) + MITRE (10) + Recency (10)
No data 0 Nothing to score

Implication for incidents: Path B requires risk ≥ 70. Without threat cases, Path B can reach 70 only if other factors (including combined volume/velocity from sigma) are strong enough. With threat cases, Path A creates incidents at any risk level.

Ticket Priority Mapping

When incidents escalate and create Jira/ServiceNow tickets, the risk score maps to ticket priority. Confidence level can boost priority:

Risk Score Base Priority With HIGH/CRITICAL Confidence
≥ 80 P1 (Critical) P1 (Critical)
60 – 79 P2 (High) P1 (Critical) — confidence boost
40 – 59 P3 (Medium) P3 (Medium)
< 40 P4 (Low) P4 (Low)

Ticket priority is automatically synced — when risk changes enough to cross a priority boundary, RhythmX updates the ticket priority via API (not just adds a comment).

Scoring Across the Platform

flowchart TD
    RS["<b>Risk Score Engine</b><br>7-Factor Model"] --> ALM["<b>Security Alarms</b><br>Risk badges, filtering,<br>investigation priority"]
    RS --> MSSP["<b>MSSP Dashboard</b><br>Entity risk meters,<br>tier filtering, trends"]
    RS --> INC["<b>Incident Management</b><br>System states, SLA,<br>auto-escalation, ticket sync"]
    RS --> CASE["<b>Case Management</b><br>Case risk scoring,<br>actor correlation"]
    RS --> SOC["<b>SOC Dashboard</b><br>Priority queue ranking,<br>risk distribution"]
    RS --> RPT["<b>Reporting</b><br>Risk trends, executive<br>summaries, compliance"]

    style RS fill:#b71c1c,stroke:#ef5350,color:#fff
    style ALM fill:#0d47a1,stroke:#42a5f5,color:#fff
    style MSSP fill:#4a148c,stroke:#9c27b0,color:#fff
    style INC fill:#e65100,stroke:#ff9800,color:#fff
    style CASE fill:#00695c,stroke:#4db6ac,color:#fff
    style SOC fill:#1565c0,stroke:#64b5f6,color:#fff
    style RPT fill:#6a1b9a,stroke:#ab47bc,color:#fff