- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Entity risk scoring
editEntity risk scoring
editEntity risk scoring is an advanced Elastic Security analytics feature that helps security analysts detect changes in an entity’s risk posture, hunt for new threats, and prioritize incident response.
Entity risk scoring allows you to monitor risk score changes of hosts and users in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host and user risk scores from the last 30 days.
It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all Elastic Security use cases, and allows you to customize and control how and when risk is calculated.
Risk scoring inputs
editEntity risk scores are determined by the following risk inputs:
| Risk input | Storage location |
|---|---|
|
|
|
The resulting entity risk scores are stored in the risk-score.risk-score-<space-id> data stream alias.
Entities without any alerts, or with only Closed alerts, are not assigned a risk score.
How is risk score calculated?
edit-
The risk scoring engine runs hourly to aggregate
OpenandAcknowledgedalerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts.When turning on the risk engine, you can choose to also include
Closedalerts in risk scoring calculations. -
The engine groups alerts by
host.nameoruser.name, and aggregates the individual alert risk scores (kibana.alert.risk_score) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the Alerts category in the entity’s risk summary. -
The engine then verifies the entity’s asset criticality level. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the Alerts category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the Asset Criticality category in the entity’s risk summary.
Asset criticality level Default risk weight Low impact
0.5
Medium impact
1
High impact
1.5
Extreme impact
2
Asset criticality levels and default risk weights are subject to change.
-
Based on the two risk inputs, the risk scoring engine generates a single entity risk score of 0-100. It assigns a risk level by mapping the risk score to one of these levels:
Risk level Risk score Unknown
< 20
Low
20-40
Moderate
40-70
High
70-90
Critical
> 90
Click for a risk score calculation example
This example shows how the risk scoring engine calculates the user risk score for User_A, whose asset criticality level is Extreme impact.
There are 5 open alerts associated with User_A:
- Alert 1 with alert risk score 21
- Alert 2 with alert risk score 45
- Alert 3 with alert risk score 21
- Alert 4 with alert risk score 70
- Alert 5 with alert risk score 21
To calculate the user risk score, the risk scoring engine:
-
Sorts the associated alerts in descending order of alert risk score:
- Alert 4 with alert risk score 70
- Alert 2 with alert risk score 45
- Alert 1 with alert risk score 21
- Alert 3 with alert risk score 21
- Alert 5 with alert risk score 21
-
Generates an aggregated risk score of 36.16, and assigns it to
User_A's Alerts risk category. -
Looks up
User_A's asset criticality level, and identifies it as Extreme impact. - Generates a new risk input under the Asset Criticality risk category, with a risk contribution score of 16.95.
-
Increases the user risk score to 53.11, and assigns
User_Aa Moderate user risk level.
If User_A had no asset criticality level assigned, the user risk score would remain unchanged at 36.16.
Learn how to turn on the risk scoring engine.
On this page