Risk information Fieldsedit
Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under event.*
. Please continue to use event.risk_score
and event.risk_score_norm
for event risk.
These fields are in beta and are subject to change.
Risk information Field Detailsedit
Field | Description | Level |
---|---|---|
A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. type: keyword example: |
extended |
|
A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. type: float example: |
extended |
|
A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. type: float example: |
extended |
|
A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. type: keyword example: |
extended |
|
A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. type: float example: |
extended |
|
A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. type: float example: |
extended |
Field Reuseedit
The risk
fields are expected to be nested at:
-
host.risk
-
user.risk
Note also that the risk
fields are not expected to be used directly at the root of the events.