Risk information Fields
editRisk information Fields
editFields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under event.*. Please continue to use event.risk_score and event.risk_score_norm for event risk.
These fields are in beta and are subject to change.
Risk information Field Details
edit| Field | Description | Level |
|---|---|---|
|
A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. type: keyword example: |
extended |
|
|
A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. type: float example: |
extended |
|
|
A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. type: float example: |
extended |
|
|
A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. type: keyword example: |
extended |
|
|
A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. type: float example: |
extended |
|
|
A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. type: float example: |
extended |
Field Reuse
editThe risk fields are expected to be nested at:
-
host.risk -
user.risk
Note also that the risk fields are not expected to be used directly at the root of the events.