View and analyze risk score data

The Elastic Security app provides several options to monitor the change in the risk posture of hosts and users from your environment. Use the following places in the Elastic Security app to view and analyze risk score data:

Tip

We recommend that you prioritize alert triaging to identify anomalies or abnormal behavior patterns.

Entity Analytics dashboard ¶

From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the Alerts column to investigate and analyze the alerts on the Alerts page.

If you have enabled the entity store, the dashboard also displays the Entities section, where you can view all hosts and users along with their risk and asset criticality data.

Entity Analytics dashboard

Alert triaging ¶

You can prioritize alert triaging to analyze alerts associated with risky or business-critical entities using the following features in the Elastic Security app.

Alerts page ¶

Use the Alerts table to investigate and analyze:

  • Host and user risk levels
  • Host and user risk scores
  • Asset criticality

To display entity risk score and asset criticality data in the Alerts table, select Fields, and add the following:

  • user.risk.calculated_level or host.risk.calculated_level
  • user.risk.calculated_score_norm or host.risk.calculated_score_norm
  • user.asset.criticality or host.asset.criticality

Learn more about customizing the Alerts table.

Risk scores in the Alerts table

Triage alerts associated with high-risk or business-critical entities ¶

To analyze alerts associated with high-risk or business-critical entities, you can filter or group them by entity risk level or asset criticality level.

Note

If you change the entity’s criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level.

  • Use the drop-down filter controls to filter alerts by entity risk level or asset criticality level. To do this, edit the default controls to filter by:
    • user.risk.calculated_level or host.risk.calculated_level for entity risk level: :::{image} ../../../images/security-filter-by-host-risk-level.png
      :alt: Alerts filtered by high host risk level
      :class: screenshot
      :::
    • user.asset.criticality or host.asset.criticality for asset criticality level: :::{image} ../../../images/security-filter-by-asset-criticality.png
      :alt: Filter alerts by asset criticality level
      :class: screenshot
      :::
  • To group alerts by entity risk level or asset criticality level, select Group alerts by, then select Custom field and search for:
    • host.risk.calculated_level or user.risk.calculated_level for entity risk level: :::{image} ../../../images/security-group-by-host-risk-level.png
      :alt: Alerts grouped by host risk levels
      :class: screenshot
      :::
    • host.asset.criticality or user.asset.criticality for asset criticality level: :::{image} ../../../images/security-group-by-asset-criticality.png
      :alt: Alerts grouped by entity asset criticality levels
      :class: screenshot
      :::
    • You can further sort the grouped alerts by highest entity risk score:
      1. Expand a risk level group (for example, High) or an asset criticality group (for example, high_impact).
      2. Select Sort fields → Pick fields to sort by.
      3. Select fields in the following order:
        1. host.risk.calculated_score_norm or user.risk.calculated_score_norm: High-Low
        2. Risk score: High-Low
        3. @timestamp: New-Old
      :::{image} ../../../images/security-hrl-sort-by-host-risk-score.png
      :alt: High-risk alerts sorted by host risk score
      :class: screenshot
      :::

Alert details flyout ¶

To access risk score data in the alert details flyout, select Insights → Entities on the Overview tab:

Risk scores in the Alerts flyout

Hosts and Users pages ¶

On the Hosts and Users pages, you can access the risk score data:

  • In the Host risk level or User risk level* column on the *All hosts or All users tab: :::{image} ../../../images/security-hosts-hr-level.png
    :alt: Host risk level data on the All hosts tab of the Hosts page
    :class: screenshot
    :::
  • On the Host risk or User risk tab: :::{image} ../../../images/security-hosts-hr-data.png
    :alt: Host risk data on the Host risk tab of the Hosts page
    :class: screenshot
    :::

Host and user details pages ¶

On the host details and user details pages, you can access the risk score data:

  • In the Overview section: :::{image} ../../../images/security-host-details-overview.png
    :alt: Host risk data in the Overview section of the host details page
    :class: screenshot
    :::
  • On the Host risk or User risk tab: :::{image} ../../../images/security-host-details-hr-tab.png
    :alt: Host risk data on the Host risk tab of the host details page
    :class: screenshot
    :::

Host and user details flyouts ¶

In the host details and user details flyouts, you can access the risk score data in the risk summary section:

Host risk data in the Host risk summary section