View and analyze risk score data

edit

The Elastic Security app provides several options to monitor the change in the risk posture of hosts and users from your environment. Use the following places in the Elastic Security app to view and analyze risk score data:

We recommend that you prioritize alert triaging to identify anomalies or abnormal behavior patterns.

Entity Analytics dashboard

edit

From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the Alerts column to investigate and analyze the alerts on the Alerts page.

Entity Analytics dashboard

Alert triaging

edit

You can prioritize alert triaging to analyze alerts associated with risky entities using the following features in the Elastic Security app.

Alerts page
edit

Use the Alerts table to investigate and analyze host and user risk levels and scores. We recommend adding the user.risk.calculated_level and host.risk.calculated_level columns to the Alerts table to easily display this data. To do this, select Fields, search for user.risk and host.risk, then select the appropriate fields from the list. Learn more about customizing the Alerts table.

Risk scores in the Alerts table

You can use the drop-down filter controls to filter alerts by their risk score level. To do this, edit the default controls to filter by user.risk.calculated_level or host.risk.calculated_level:

Alerts filtered by high host risk level
Alert details flyout
edit

To access risk score data in the alert details flyout, select InsightsEntities on the Overview tab:

Risk scores in the Alerts flyout
Hosts and Users pages
edit

On the Hosts and Users pages, you can access the risk score data:

  • In the Host risk level or User risk level column on the All hosts or All users tab:

    Host risk level data on the All hosts tab of the Hosts page
  • On the Host risk or User risk tab:

    Host risk data on the Host risk tab of the Hosts page
Host and user details pages
edit

On the host details and user details pages, you can access the risk score data:

  • In the Overview section:

    Host risk data in the Overview section of the host details page
  • On the Host risk or User risk tab:

    Host risk data on the Host risk tab of the host details page