Risk information fields
Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under event.*. Please continue to use event.risk_score and event.risk_score_norm for event risk.
Warning
These fields are in beta and are subject to change.
| Field | Description | Level |
|---|---|---|
| risk.calculated_level | A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. type: keyword example: High |
extended |
| risk.calculated_score | A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. type: float example: 880.73 |
extended |
| risk.calculated_score_norm | A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. type: float example: 88.73 |
extended |
| risk.static_level | A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. type: keyword example: High |
extended |
| risk.static_score | A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. type: float example: 830.0 |
extended |
| risk.static_score_norm | A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. type: float example: 83.0 |
extended |
The risk fields are expected to be nested at:
host.riskuser.risk
Note also that the risk fields are not expected to be used directly at the root of the events.