Risk information Fields
editRisk information Fields
editFields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under event.*
. Please continue to use event.risk_score
and event.risk_score_norm
for event risk.
These fields are in beta and are subject to change.
Risk information Field Details
editField | Description | Level |
---|---|---|
A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. type: keyword example: |
extended |
|
A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. type: float example: |
extended |
|
A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. type: float example: |
extended |
|
A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. type: keyword example: |
extended |
|
A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. type: float example: |
extended |
|
A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. type: float example: |
extended |
Field Reuse
editThe risk
fields are expected to be nested at:
-
host.risk
-
user.risk
Note also that the risk
fields are not expected to be used directly at the root of the events.