Turn on the risk scoring engine

edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

To use entity risk scoring, your role must have the appropriate privileges. For more information, refer to Entity risk scoring requirements.

Preview risky entities

edit

You can preview risky entities before installing the latest risk engine. The preview shows the riskiest hosts and users found in the 1000 sampled entities during the time frame selected in the date picker.

The preview is limited to two risk scores per Kibana instance.

To preview risky entities, find Entity Risk Score in the navigation menu or by using the global search field.

Preview of risky entities

Turn on the latest risk engine

edit
  • To view risk score data, you must have alerts generated in your environment.
  • If you previously installed the original user and host risk score modules, and you’re upgrading to Elastic Stack version 8.11 or newer, refer to Upgrade to the latest risk engine.

If you’re installing the risk scoring engine for the first time:

  1. Find Entity Risk Score in the navigation menu.
  2. On the Entity Risk Score page, turn the toggle on.

You can also choose to include Closed alerts in risk scoring calculations and specify a date and time range for the calculation.

Turn on entity risk scoring

Upgrade to the latest risk engine

edit

If you upgraded to 8.11 from an earlier Elastic Stack version, and you have the original risk engine installed, you can upgrade to the latest risk engine. You will be prompted to upgrade in places where risk score data exists, such as:

  • The Entity Analytics dashboard
  • The User risk tab on the Users page
  • The User risk tab on a user’s details page
  • The Host risk tab on the Hosts page
  • The Host risk tab on a host’s details page
Prompt to upgrade to the latest risk engine
  1. Click Manage in the upgrade prompt, or find Entity Risk Score in the navigation menu.
  2. On the Entity Risk Score page, click Start update next to the Update available label.

    Start the risk engine upgrade
  3. On the confirmation message, click Yes, update now. The old transform is removed and the latest risk engine is installed.
  4. When the installation is complete, confirm that the Entity risk score toggle is on.

    Turn on entity risk scoring

Previous risk score data is retained when you upgrade to the latest risk engine.