IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

Risk information Fields

edit

Risk information Fields

edit

Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under event.*. Please continue to use event.risk_score and event.risk_score_norm for event risk.

These fields are in beta and are subject to change.

Risk information Field Details

edit

Field	Description	Level
risk.calculated_level	A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. type: keyword example: `High`	extended
risk.calculated_score	A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. type: float example: `880.73`	extended
risk.calculated_score_norm	A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. type: float example: `88.73`	extended
risk.static_level	A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. type: keyword example: `High`	extended
risk.static_score	A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. type: float example: `830.0`	extended
risk.static_score_norm	A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. type: float example: `83.0`	extended

Field Reuse

edit

The risk fields are expected to be nested at:

host.risk
user.risk

Note also that the risk fields are not expected to be used directly at the root of the events.

« Related Fields Rule Fields »