Elastic Docs Elastic Security Solution [8.11] Technical preview Host risk score
« Host risk score User risk score »

Verify that host risk score data installed successfully (Optional)edit

After you enable or upgrade host risk score, the following message may appear:

Restart host risk score

If so, click Restart and allow at least an hour for the data to be generated. If data still doesn’t appear, verify that host risk score data has been generated:

In Kibana, run the following commands in Console to query the ml_host_risk_score_<space-id> index:

GET ml_host_risk_score_<space-id>/_search

If no data returns, you’ll need to check if the alerts index (.alerts-security.alerts-<space-id>) had alert data when ml_hostriskscore_pivot_transform_<space-id> was started.

Example:

GET transform/ml_hostriskscore_pivot_transform_<space-id>/_stats?human=true

Here’s an example response:

{
  "count": 1,
  "transforms": [
    {
      "id": "ml_hostriskscore_pivot_transform_<space-id>",
      "state": "started",
      "node": {
        "id": "H1tlwfTyRkWls-C0sarmHw",
        "name": "instance-0000000000",
        "ephemeral_id": "SBqlp5ywRuuop2gtcdCljA",
        "transport_address": "10.43.255.164:19635",
        "attributes": {}
      },
      "stats": {
        "pages_processed": 29,
        "documents_processed": 11805,
        "documents_indexed": 8,
        "documents_deleted": 0,
        "trigger_count": 9,
        "index_time_in_ms": 52,
        "index_total": 7,
        "index_failures": 0,
        "search_time_in_ms": 201,
        "search_total": 29,
        "search_failures": 0,
        "processing_time_in_ms": 14,
        "processing_total": 29,
        "delete_time_in_ms": 0,
        "exponential_avg_checkpoint_duration_ms": 59.02353261024906,
        "exponential_avg_documents_indexed": 0.8762710605864747,
        "exponential_avg_documents_processed": 1664.7724779548555
      },
      "checkpointing": {
        "last": {
          "checkpoint": 8,
          "timestamp": "2022-10-17T14:49:50.315Z",
          "timestamp_millis": 1666018190315,
          "time_upper_bound": "2022-10-17T14:47:50.315Z",
          "time_upper_bound_millis": 1666018070315
        },
        "operations_behind": 380,
        "changes_last_detected_at_string": "2022-10-17T14:49:50.113Z",
        "changes_last_detected_at": 1666018190113,
        "last_search_time_string": "2022-10-17T14:49:50.113Z",
        "last_search_time": 1666018190113
      }
    }
  ]
}

Take note of the value from time_upper_bound_millis and enter it as a range query for the alerts index.

Example:

GET .alerts-security.alerts-<space-id>/_search
{
  "query": {
    "range": {
      "@timestamp": {
        "lt": 1666018070315
      }
    }
  }
}

If there’s no response, verify that relevant rules are running and that alert data is being generated. If there is a response, click Restart and allow an hour for the host risk data to appear.

« Host risk score User risk score »