Host risk score

edit

This feature is available for Elastic Stack versions 7.16.0 and newer.

The host risk score feature highlights risky hosts from within your environment. It utilizes a transform with a scripted metric aggregation to calculate host risk scores based on alerts that were generated within the past five days. The transform runs hourly to update the score as new alerts are generated.

Each rule’s contribution to the host risk score is based on the rule’s risk score (signal.rule.risk_score) and a time decay factor to reduce the impact of stale alerts. The risk score is calculated using a weighted sum where rules with higher time-corrected risk scores also have higher weights. Each host risk score is normalized to a scale of 0 to 100.

Specific host attributes can boost the final risk score. For example, alert activity on a server poses a greater risk than that on a laptop. Therefore, the host risk score is 1.5 times higher if the host is a server. This boosted score is finalized after calculating the weighted sum of the time-corrected risks.

The following table shows how risk levels are applied to a host, based on the normalized risk score:

Risk level Host risk score

Unknown

< 20

Low

20-40

Moderate

40-70

High

70-90

Critical

> 90

Deploy the host risk score package

edit

To deploy the host risk score framework in your environment, follow these steps. These instructions also include steps to enable the riskyHostsEnabled feature flag.

Update host risk score artifacts after you upgrade the Elastic Stack. To do this, download a release bundle that’s compatible with the new Elastic Stack version and repeat all the steps referenced above. Failure to do so might cause views in the Elastic Security app to break.

To view host risk score data in the Elastic Security app, you must enable the riskyHostsEnabled feature flag. However, enabling the feature flag is NOT required to view the Lens dashboards.

View host risk score data

edit

If the riskyHostsEnabled feature flag is enabled:

  1. In the Elastic Security app, go to the Overview page, then locate the Current host risk scores card in the lower-right corner.
  2. Click View dashboard.

    host score overview

If the riskyHostsEnabled feature flag is NOT enabled:

  1. In Kibana, go to Analytics → Dashboard.
  2. Select the Current Risk Score for Hosts dashboard.

    select dashboard
  3. In the Current Risk Scores for Hosts list, hover over the host name to view, click the + button, then select Go to Dashboard.

    go to dashboard

It is recommended you analyze hosts with the highest risk scores — or those in the Critical and Moderate categories first.

full dashboard

Use the histogram to track how the risk score for a particular host has changed over time. To specify a date range, use the date and time picker or drag and select a time range within the histogram.

histogram

To go to the host’s detail page, left-click any host’s corresponding bar in the histogram, then select Go to Host View.

go to host view

The data tables beneath the histogram display associated rules, users, and MITRE tactics of risky hosts. The table data is sorted in reverse chronological order by default, with the highest total risk score at the top. Use this information to triage alerts that pose the highest risk to your network.

data tables

Additional places to visualize host risk score data

edit

If the riskyHostsEnabled feature flag is enabled, you can visualize host risk score data in the following places in the Elastic Security app:

The Overview tab on the Alert details flyout:

score in flyout

The Host risk classification column in the All hosts table on the Hosts page:

hrs all hosts

The Hosts by risk tab on the Hosts page:

hosts by risk tab

The Overview section on the Host details page:

hrs overview section

The Hosts by risk tab on the Host details page:

hosts by risk details page