Risk Vector scores and percentiles are all 0 but users have an overall risk score and rating
search cancel

Risk Vector scores and percentiles are all 0 but users have an overall risk score and rating

book

Article ID: 221790

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

When checking user scores and ratings on an Identities > User Details page in the Information Centric Analytics (ICA) console, you find that despite having an overall non-zero Percentile ranking and Risk Score, the Weighted and Normalized scores across all Risk Vectors for the user are 0.00; all Percentiles are 0%; and the Change Since Yesterday column shows positive and/or negative changes on one or more Risk Vectors.

Environment

Release : 6.5.x

Component : Risk Scores

Cause

The Calculate Risk Scores step of the RiskFabric Processing job started before midnight and completed at or after midnight.

If risk scores are calculated before midnight and the Risk Scoring watermark is set at or after midnight, the scores will be treated as though they were the previous day's values rather than today's values. This is why you will still see a comparison between yesterday's scores and today's; what should be today's scores are treated as yesterday's.

Resolution

Schedule the RiskFabric Processing job to run at a time that avoids the Calculate Risk Scores job step traversing or ending at midnight.

An improvement to implement a check against this scenario is under development and will be included in a future release of ICA.

Additional Information

The same behavior can be seen on the details pages of other entity types (e.g., Person, Computer Endpoint, etc.).

The Risk Scoring Watermark value can be viewed by navigating to Admin > Settings > General > Risk Scoring - Overall or by running the following query in SQL Server Management Studio:

USE    RiskFabric;
GO
SELECT [Value]
FROM   PortalSettings
WHERE  DisplayName = 'Risk Scoring Watermark';

The following query will return the time at which scoring began during the last Risk Fabric Processing job:

USE      msdb;
GO
SELECT   TOP 1 run_date AS [Date],
         STUFF(STUFF(RIGHT(REPLICATE('0', 6) + CAST(h.run_time AS varchar(6)), 6), 3, 0, ':'), 6, 0, ':') AS [Time]
FROM     sysjobhistory AS h
JOIN     sysjobs AS j
ON       h.job_id = j.job_id
WHERE    j.[name] = 'RiskFabric Processing'
AND      h.step_name = 'Calculate Risk Scores'
AND      run_status NOT IN (0, 3)
ORDER BY run_date DESC;
Powered by Wolken Software