Verify that host risk score data installed successfully (Optional)edit

After you enable or upgrade host risk score, the following message may appear:

Restart host risk score

If so, click Restart and allow at least an hour for the data to be generated. If data still doesn’t appear, verify that host risk score data has been generated:

In Kibana, run the following commands in Console to query the ml_host_risk_score_<space-id> index:

GET ml_host_risk_score_<space-id>/_search

If no data returns, you’ll need to check if the alerts index (.alerts-security.alerts-<space-id>) had alert data when ml_hostriskscore_pivot_transform_<space-id> was started.


GET transform/ml_hostriskscore_pivot_transform_<space-id>/_stats?human=true

Here’s an example response:

  "count": 1,
  "transforms": [
      "id": "ml_hostriskscore_pivot_transform_<space-id>",
      "state": "started",
      "node": {
        "id": "H1tlwfTyRkWls-C0sarmHw",
        "name": "instance-0000000000",
        "ephemeral_id": "SBqlp5ywRuuop2gtcdCljA",
        "transport_address": "",
        "attributes": {}
      "stats": {
        "pages_processed": 29,
        "documents_processed": 11805,
        "documents_indexed": 8,
        "documents_deleted": 0,
        "trigger_count": 9,
        "index_time_in_ms": 52,
        "index_total": 7,
        "index_failures": 0,
        "search_time_in_ms": 201,
        "search_total": 29,
        "search_failures": 0,
        "processing_time_in_ms": 14,
        "processing_total": 29,
        "delete_time_in_ms": 0,
        "exponential_avg_checkpoint_duration_ms": 59.02353261024906,
        "exponential_avg_documents_indexed": 0.8762710605864747,
        "exponential_avg_documents_processed": 1664.7724779548555
      "checkpointing": {
        "last": {
          "checkpoint": 8,
          "timestamp": "2022-10-17T14:49:50.315Z",
          "timestamp_millis": 1666018190315,
          "time_upper_bound": "2022-10-17T14:47:50.315Z",
          "time_upper_bound_millis": 1666018070315
        "operations_behind": 380,
        "changes_last_detected_at_string": "2022-10-17T14:49:50.113Z",
        "changes_last_detected_at": 1666018190113,
        "last_search_time_string": "2022-10-17T14:49:50.113Z",
        "last_search_time": 1666018190113

Take note of the value from time_upper_bound_millis and enter it as a range query for the alerts index.


GET .alerts-security.alerts-<space-id>/_search
  "query": {
    "range": {
      "@timestamp": {
        "lt": 1666018070315

If there’s no response, verify that relevant rules are running and that alert data is being generated. If there is a response, click Restart and allow an hour for the host risk data to appear.