Risk Model instances are created overnight with Last Event Date values that are two days old. E.g., when reviewing Risk Model instances on a Tuesday, the Last Event Date on these instances is Monday. On Wednesday, new Risk Model instances are created overnight with a Last Event Date of Monday.
Release : 6.5.x
Component : Risk Models
New DIM incidents and unified events (UE: Web Activity, Authentication, and Endpoint Protection) are ingested into ICA during the nightly RiskFabric Processing job and, if enabled, during the RiskFabric Intraday Processing job. Note that only DIM incidents are ingested by the intraday job; all other event types are only processed once a day by design.
New Event Scenario instances are created when new incidents and events are ingested.
New Risk Model instances are only created when new incidents/events and event scenario instances matching risk model configurations are ingested/created.
If the RiskFabric Intraday Processing job is disabled, any incidents/events generated after the staging step of the nightly job will not be ingested until the next nightly run 24 hours later.
To reduce the delay in risk model instance creation for those risk models based on DIM incidents, schedule the RiskFabric Intraday Processing job to run throughout the day (not more frequently than every two hours). Risk Models built on other event types will continue to only generate instances during the nightly processing job, however.