Turn on the risk scoring engine
editTurn on the risk scoring engine
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
To use entity risk scoring, your role must have the appropriate privileges. For more information, refer to Entity risk scoring prerequisites.
The latest risk scoring engine runs hourly to aggregate Open
and Acknowledged
alerts from the last 30 days, and assigns risk score to the host or user. It then aggregates the individual risk scores and normalizes them to a 0-100 range. The engine assigns a risk level by mapping the normalized risk score to one of these levels:
Risk level | Risk score |
---|---|
Unknown |
< 20 |
Low |
20-40 |
Moderate |
40-70 |
High |
70-90 |
Critical |
> 90 |
Preview risky entities
editYou can preview risky entities before installing the latest risk engine. The preview shows the riskiest hosts and users found in the 1000 sampled entities during the time frame selected in the date picker.
The preview is limited to two risk scores per Kibana instance.
To preview risky entities, go to Manage → Entity Risk Score:
Turn on the latest risk engine
edit- To view risk score data, you must have alerts generated in your environment.
- If you previously installed the original user and host risk score modules, and you’re upgrading to Elastic Stack version 8.11 or newer, refer to Upgrade to the latest risk engine.
If you’re installing the risk scoring engine for the first time:
- Go to Manage → Entity Risk Score.
- Turn the Entity risk score toggle on.
Upgrade to the latest risk engine
editIf you upgraded to 8.11 from an earlier Elastic Stack version, and you have the original risk engine installed, you can upgrade to the latest risk engine. You will be prompted to upgrade in places where risk score data exists, such as:
- The Entity Analytics dashboard
- The User risk tab on the Users page
- The User risk tab on a user’s details page
- The Host risk tab on the Hosts page
- The Host risk tab on a host’s details page
- Click Manage in the upgrade prompt, or go to Manage → Entity Risk Score.
-
On the Entity Risk Score page, click Start update next to the Update available label.
- On the confirmation message, click Yes, update now. The old transform is removed and the latest risk engine is installed.
-
When the installation is complete, confirm that the Entity risk score toggle is on.
Previous risk score data is retained when you upgrade to the latest risk engine.