User risk scoreedit

This feature is available for Elastic Stack versions 8.3.0 and newer and requires a Platinum subscription or higher.

The user risk score feature highlights risky usernames in your environment. It utilizes a transform with a scripted metric aggregation to calculate user risk scores based on alerts generated within the past 90 days. The transform runs hourly to update scores as new alerts are generated.

Each alert’s contribution to the user risk score is based on the alert’s risk score (signal.rule.risk_score). The risk score is calculated using a weighted sum where rules with higher time-corrected risk scores also have higher weights. Each risk score is normalized on a scale of 0 to 100.

The following table shows how risk levels are applied to a username, based on the normalized risk score:

Risk level User risk score

Unknown

< 20

Low

20-40

Moderate

40-70

High

70-90

Critical

> 90

Enable user risk scoreedit

You can enable user risk score from the following places in the Elastic Security app:

  • The Entity Analytics dashboard
  • The User risk tab on the Users page
  • The User risk tab on a user’s details page

Or, in Kibana, you can enable user risk score in Console.

To enable user risk score from the Entity Analytics dashboard:

  1. In the Elastic Security app, go to DashboardsEntity Analytics.
  2. In the User Risk Scores section, click Enable to install the module.

To enable user risk score from the Users page:

  1. Go to ExploreUsers.
  2. Select the User risk tab, then click Enable to install the module.
Enable User Risk score button

To enable user risk score from a user’s details page:

  1. Go to ExploreUsers.
  2. Select the All users tab, then click a user name.
  3. On the details page, scroll down to the data tables, then select the User risk tab.
  4. Click Enable to install the module.

To enable user risk score from Console in Kibana, open a browser window and enter the following URL:

{KibanaURL}/s/{spaceID}/app/dev_tools#/console?load_from={KibanaURL}/s/{spaceID}/internal/risk_score/prebuilt_content/dev_tool/enable_user_risk_score

If there’s existing content in Console, scroll to the bottom to find the output loaded.

Upgrade user risk scoreedit

If you previously enabled user risk score and are upgrading to Elastic Stack version 8.5 or later, there’ll be an Upgrade for user risk score instead of Enable.

Before upgrading, note the following:

  • Since older data is not preserved, previous user risk scores will be deleted, and new scores will be created. However, if you want to retain old user risk scores, you can reindex them before upgrading. To learn how, refer to Reindex API. New data will be stored in the ml_user_risk_score_<space-id> and ml_user_risk_score_latest_<space-id> indices.
  • You must edit your Kibana user settings and remove the xpack.securitySolution.enableExperimental:['riskyUsersEnabled'] feature flag.

After this is done, you can proceed with upgrading the user risk score feature from any of the following places in the Elastic Security app:

  • The Entity Analytics dashboard
  • The User risk tab on the User page
  • The User risk tab on a user’s details page

After you enable or upgrade user risk score, you might get a message that says, "No user risk score data available to display." To verify that the transform that installs the user risk score module is picking up data, refer to Verify that user risk score data installed successfully.

Analyze user risk score dataedit

It is recommended you analyze users with the highest risk scores first — those in the Critical and Moderate categories. User risk score data appears in the following places in the Elastic Security app:

The user.risk.calculated_level column in the Alerts table:

User risk score in Alerts table

The Overview tab on the Alert details flyout:

User risk score in Alert details flyout

The User risk tab on the Users page:

User risk score on Users risk tab

The Overview section on the user details page:

User risk score in Overview section

The User risk tab on the user details page:

User risk score on the user details page

You can also visualize user risk score data using prebuilt dashboards that are automatically imported when the feature is enabled.

To access the dashboards:

  1. In Kibana, go to Analytics → Dashboard, then search for risk score.
  2. Select Drilldown of User Risk Score to analyze the risk components of a user, or Current Risk Score for Users to display a list of current risky users in your environment.

In this example, we’ll explore the Drilldown of User Risk Score dashboard.

Select dashboard

The histogram shows historical changes in a particular user’s risk score(s). To specify a date range, use the date and time picker, or drag and select a time range within the histogram. Click View source dashboard to view the top values of user.name and risk.keyword.

User risk score histogram

The data tables beneath the histogram display associated rules, users, and MITRE ATT&CK tactics seen for risky users. By default, the tables are sorted by risk, with the highest total risk scores at the top. Use this information to triage your highest risk users.

User risk score dashboard