---
title: Turn on risk scoring
description: You can preview risky entities before installing the latest risk engine. The preview shows the riskiest hosts, users, and services found in the 1000 sampled...
url: https://www.elastic.co/elastic/docs-builder/docs/3466/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine
products:
  - Elastic Cloud Serverless
  - Elastic Security
applies_to:
  - Serverless Security projects: Generally available
  - Elastic Stack: Generally available
---

# Turn on risk scoring
<important>
  To use entity risk scoring, your role must have the appropriate user role or privileges. For more information, refer to [Entity risk scoring requirements](https://www.elastic.co/elastic/docs-builder/docs/3466/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements).
</important>


## Preview risky entities

You can preview risky entities before installing the latest risk engine. The preview shows the riskiest hosts, users, and services found in the 1000 sampled entities during the time frame selected in the date picker.
<note>
  The preview is limited to two risk scores per Kibana instance or serverless project.
</note>

<applies-switch>
  <applies-item title="{ stack: ga 9.4+, serverless: ga }" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Generally available since 9.4">
    To preview risky entities, go to the **Entity Analytics** management page. Accessing this page differs based on the [solution view](/elastic/docs-builder/docs/3466/deploy-manage/manage-spaces#spaces-managing) that you're using:
    - **Security solution view**: Find **Stack Management → Entity Analytics** in the navigation menu.
    - **Classic view**: Find **Manage → Entity Analytics** in the navigation menu.
  </applies-item>

  <applies-item title="{ stack: ga 9.0-9.3 }" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    To preview risky entities, find **Entity risk score** in the navigation menu or by using the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3466/explore-analyze/find-and-organize/find-apps-and-objects).
  </applies-item>
</applies-switch>


## Turn on risk scoring

<note>
  - To view risk score data, you must have alerts generated in your environment.
  - In Elastic Stack, if you previously installed the original user and host risk score modules, and you’re upgrading to Elastic Stack version 9.0 or later, refer to [Upgrade to the latest risk engine](#upgrade-risk-engine).
</note>

<applies-switch>
  <applies-item title="{ stack: ga 9.4+, serverless: ga }" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Generally available since 9.4">
    <important>
      Turning on risk scoring and entity store on deployments with less than 4 GB of memory is not recommended, as the cluster might become heavily loaded by the processes required to run Entity Analytics. For optimal performance, we recommend at least 8 GB of memory.
    </important>
    In the default Kibana space, both the risk scoring engine and entity store are enabled automatically.For non-default spaces, if you're enabling risk scoring for the first time:
    1. Go to the **Entity Analytics** management page. Accessing this page differs based on the [solution view](/elastic/docs-builder/docs/3466/deploy-manage/manage-spaces#spaces-managing) that you're using:
       - **Security solution view**: Find **Stack Management → Entity Analytics** in the navigation menu.
    - **Classic view**: Find **Manage → Entity Analytics** in the navigation menu.
    2. Turn the toggle on.
       <note>
       The toggle activates both the risk scoring engine and the [entity store](https://www.elastic.co/elastic/docs-builder/docs/3466/solutions/security/advanced-entity-analytics/entity-store).
       </note>
    3. In the **Entity Risk Score** tab, choose whether to retain the [last calculated risk scores](/elastic/docs-builder/docs/3466/solutions/security/advanced-entity-analytics/entity-risk-scoring#residual-risk-score).
    4. Optionally, specify a date and time range for the calculation.
    5. Choose whether to include closed alerts in risk scoring calculations.
    6. Optionally, filter out alerts by defining conditions for the entity types or attributes that you want to exclude from the calculation. For example, if you don't want to calculate risk scores for users with a **Low impact** asset criticality level, enter `not user.asset.criticality: "low_impact"`.
  </applies-item>

  <applies-item title="{ stack: ga 9.0-9.3 }" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    1. Find **Entity Risk Score** in the navigation menu or using the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3466/explore-analyze/find-and-organize/find-apps-and-objects).
    2. Turn the toggle on.
    3. <applies-to>Elastic Stack: Generally available from 9.2 to 9.3</applies-to> Choose whether to retain the [last calculated risk scores](/elastic/docs-builder/docs/3466/solutions/security/advanced-entity-analytics/entity-risk-scoring#residual-risk-score).
    4. Optionally, specify a date and time range for the calculation.
    5. Choose whether to include closed alerts in risk scoring calculations.
    6. <applies-to>Elastic Stack: Generally available in 9.3</applies-to> Optionally, filter out alerts by defining conditions for the entity types or attributes that you want to exclude from the calculation. For example, if you don't want to calculate risk scores for users with a **Low impact** asset criticality level, enter `not user.asset.criticality: "low_impact"`.
  </applies-item>
</applies-switch>

![Turn on entity risk scoring](https://www.elastic.co/elastic/docs-builder/docs/3466/solutions/images/security-turn-on-risk-scoring.png)


## Upgrade to the latest risk engine

<applies-to>
  - Elastic Stack: Generally available
</applies-to>

If you upgraded to 9.0 or later from an earlier Elastic Stack version, and you have the original risk engine installed, you can upgrade to the latest risk engine. You will be prompted to upgrade in places where risk score data exists, such as:
- The Entity Analytics dashboard
- The **User risk** tab on the Users page
- The **User risk** tab on a user’s details page
- The **Host risk** tab on the Hosts page
- The **Host risk** tab on a host’s details page

![Prompt to upgrade to the latest risk engine](https://www.elastic.co/elastic/docs-builder/docs/3466/solutions/images/security-risk-engine-upgrade-prompt.png)

<applies-switch>
  <applies-item title="{ stack: ga 9.4+ }" applies-to="Elastic Stack: Generally available since 9.4">
    1. Click **Manage** in the upgrade prompt, or find the **Entity Analytics** management page in the navigation menu.
    2. Click **Start update** next to the **Update available** label.
    3. On the confirmation message, click **Yes, update now**. The old transform is removed and the latest risk engine is installed.
    4. When the installation is complete, confirm that the **Entity Risk Score** toggle is on.
  </applies-item>

  <applies-item title="{ stack: ga 9.0-9.3 }" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    1. Click **Manage** in the upgrade prompt, or find **Entity risk score** in the navigation menu.
    2. Click **Start update** next to the **Update available** label.
    3. On the confirmation message, click **Yes, update now**. The old transform is removed and the latest risk engine is installed.
    4. When the installation is complete, confirm that the **Entity risk score** toggle is on.
  </applies-item>
</applies-switch>

<note>
  Previous risk score data is retained when you upgrade to the latest risk engine.
</note>