Host risk score
editHost risk score
editThis feature is available for Elastic Stack versions 7.16.0 and newer.
The host risk score feature highlights risky hosts from within your environment. It utilizes a transform with a scripted metric aggregation to calculate host risk scores based on alerts that were generated within the past five days. The transform runs hourly to update the score as new alerts are generated.
Each rule’s contribution to the host risk score is based on the rule’s risk score (signal.rule.risk_score) and a time decay factor to reduce the impact of stale alerts. The risk score is calculated using a weighted sum where rules with higher time-corrected risk scores also have higher weights. Each host risk score is normalized to a scale of 0 to 100.
Specific host attributes can boost the final risk score. For example, alert activity on a server poses a greater risk than that on a laptop. Therefore, the host risk score is 1.5 times higher if the host is a server. This boosted score is finalized after calculating the weighted sum of the time-corrected risks.
The following table shows how risk levels are applied to a host, based on the normalized risk score:
| Risk level | Host risk score |
|---|---|
Unknown |
< 20 |
Low |
20-40 |
Moderate |
40-70 |
High |
70-90 |
Critical |
> 90 |
Deploy the host risk score package
editTo deploy the host risk score framework in your environment, follow these steps. These instructions also include steps to enable the riskyHostsEnabled feature flag.
Update host risk score artifacts after you upgrade the Elastic Stack. To do this, download a release bundle that’s compatible with the new Elastic Stack version and repeat all the steps referenced above. Failure to do so might cause views in the Elastic Security app to break.
To view host risk score data in the Elastic Security app, you must enable the riskyHostsEnabled feature flag. However, enabling the feature flag is NOT required to view the Lens dashboards.
View host risk score data
editIf the riskyHostsEnabled feature flag is enabled:
- In the Elastic Security app, go to the Overview page, then locate the Current host risk scores card in the lower-right corner.
-
Click View dashboard.
If the riskyHostsEnabled feature flag is NOT enabled:
- In Kibana, go to Analytics → Dashboard.
-
Select the Current Risk Score for Hosts dashboard.
-
In the Current Risk Scores for Hosts list, hover over the host name to view, click the + button, then select Go to Dashboard.
It is recommended you analyze hosts with the highest risk scores — or those in the Critical and Moderate categories first.
Use the histogram to track how the risk score for a particular host has changed over time. To specify a date range, use the date and time picker or drag and select a time range within the histogram.
To go to the host’s detail page, left-click any host’s corresponding bar in the histogram, then select Go to Host View.
The data tables beneath the histogram display associated rules, users, and MITRE tactics of risky hosts. The table data is sorted in reverse chronological order by default, with the highest total risk score at the top. Use this information to triage alerts that pose the highest risk to your network.
Additional places to visualize host risk score data
editIf the riskyHostsEnabled feature flag is enabled, you can visualize host risk score data in the following places in the Elastic Security app:
The Overview tab on the Alert details flyout:
The Host risk classification column in the All hosts table on the Hosts page:
The Hosts by risk tab on the Hosts page:
The Overview section on the Host details page:
The Hosts by risk tab on the Host details page:
