elastic · natasha-moore-elastic · Dec 18, 2024 · Dec 18, 2024 · Dec 18, 2024
@@ -37,6 +37,8 @@ NOTE: Entities without any alerts, or with only `Closed` alerts, are not assigne
 == How is risk score calculated?
 
 . The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts.
++
+NOTE: When <<turn-on-risk-engine, turning on the risk engine>>, you can choose to also include `Closed` alerts in risk scoring calculations.
 
 . The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<host-risk-summary, risk summary>>.
 

@@ -29,7 +29,9 @@ image::images/preview-risky-entities.png[Preview of risky entities]
 If you're installing the risk scoring engine for the first time:
 
 . Find **Entity Risk Score** in the navigation menu.
-. Turn the **Entity risk score** toggle on.
+. On the **Entity Risk Score** page, turn the toggle on.
+
+You can also choose to include `Closed` alerts in risk scoring calculations and specify a date and time range for the calculation.
 
 [role="screenshot"]
 image::images/turn-on-risk-engine.png[Turn on entity risk scoring]