Entity analytics
Entity analytics helps security teams detect emerging threats by assessing the risk posture of hosts, users, and services across your environment. It combines the SIEM detection engine with machine learning to score entity risk, identify anomalous behavior, and surface insider threats, so you can prioritize investigations and respond faster.
Rather than triaging alerts one at a time, entity analytics continuously evaluates risk using detection alerts, asset criticality assignments, and behavioral anomalies. You can focus on the entities that pose the greatest risk and investigate the full pattern of activity behind each score.
| Your goal | Start here |
|---|---|
| Set up entity risk scoring for the first time | Entity risk scoring requirements → Turn on the risk scoring engine |
| Monitor risk scores for hosts, users, and services | Entity risk scoring → View and analyze risk score data |
| Detect behavioral anomalies with machine learning | Advanced behavioral detections → Anomaly detection |
| Prioritize high-value assets | Asset criticality |
| Monitor privileged user activity | Privileged user monitoring |
Entity analytics operates continuously across several stages:
- Collect data: The risk scoring engine ingests detection alerts, asset criticality levels, and privileged user designations from across your Elastic Security deployment.
- Score risk: The engine calculates risk scores (0–100) for hosts, users, and services based on alert severity, frequency, and asset criticality. Scores are recalculated on a recurring interval.
- Detect anomalies: Prebuilt machine learning jobs identify unusual patterns in user and host behavior that may indicate compromise or insider threats.
- Enrich entities: The entity store reconciles data from ingested logs, identity providers, and risk scores into a unified view of each entity.
- Investigate and respond: The Entity analytics overview page surfaces the highest-risk entities, anomalies, and KPIs so you can triage and investigate efficiently.
Entity analytics provides the following core capabilities that work together to give you a complete picture of entity risk across your environment.
Assign risk scores to hosts, users, and services based on detection alerts and asset criticality. The risk scoring engine runs on a recurring interval, using a weighted sum to calculate scores from 0 (lowest risk) to 100 (highest risk). Use risk scores to identify which entities require immediate attention and track how risk changes over time.
Use machine learning anomaly detection to identify suspicious behavior patterns — such as unusual login locations, atypical process execution, or abnormal network activity — that rule-based detections might miss. Prebuilt machine learning jobs are tailored to common security use cases.
Track the activity of users with elevated permissions, such as system administrators or users with access to sensitive data. Identify suspicious activities like over-provisioning of rights or potential insider threats before they cause damage.
- Turn on the risk scoring engine to begin calculating entity risk scores.
- Enable the entity store for centralized entity management.
- Set up anomaly detection to identify behavioral threats.
- Assign asset criticality to prioritize high-value entities.
- Explore host, user, and network data across your environment.