Risk information Fields

edit

Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under event.*. Please continue to use event.risk_score and event.risk_score_norm for event risk.

These fields are in beta and are subject to change.

Risk information Field Details

edit
Field Description Level

risk.calculated_level

A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.

type: keyword

example: High

extended

risk.calculated_score

A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.

type: float

example: 880.73

extended

risk.calculated_score_norm

A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100.

type: float

example: 88.73

extended

risk.static_level

A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.

type: keyword

example: High

extended

risk.static_score

A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.

type: float

example: 830.0

extended

risk.static_score_norm

A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100.

type: float

example: 83.0

extended

Field Reuse

edit

The risk fields are expected to be nested at:

  • host.risk
  • user.risk

Note also that the risk fields are not expected to be used directly at the root of the events.