New

The executive guide to generative AI

Read more

Risk information Fields

edit

Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under event.*. Please continue to use event.risk_score and event.risk_score_norm for event risk.

These fields are in beta and are subject to change.

Risk information Field Details

edit
Field Description Level

risk.calculated_level

A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.

type: keyword

example: High

extended

risk.calculated_score

A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.

type: float

example: 880.73

extended

risk.calculated_score_norm

A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100.

type: float

example: 88.73

extended

risk.static_level

A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.

type: keyword

example: High

extended

risk.static_score

A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.

type: float

example: 830.0

extended

risk.static_score_norm

A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100.

type: float

example: 83.0

extended

Field Reuse

edit

The risk fields are expected to be nested at:

  • host.risk
  • user.risk

Note also that the risk fields are not expected to be used directly at the root of the events.

Was this helpful?
Feedback