Entity analytics

Entity analytics helps security teams detect emerging threats by assessing the risk posture of hosts, users, and services across your environment. It combines the SIEM detection engine with machine learning to score entity risk, identify anomalous behavior, and surface insider threats, so you can prioritize investigations and respond faster.

Rather than triaging alerts one at a time, entity analytics continuously evaluates risk using detection alerts, asset criticality assignments, and behavioral anomalies. You can focus on the entities that pose the greatest risk and investigate the full pattern of activity behind each score.

Entity analytics operates continuously across several stages:

1. Collect data: The risk scoring engine ingests detection alerts, asset criticality levels, and privileged user designations from across your Elastic Security deployment.

2. Score risk: The engine calculates risk scores (0–100) for hosts, users, and services based on alert severity, frequency, and asset criticality. Scores are recalculated on a recurring interval.

3. Detect anomalies: Prebuilt machine learning jobs identify unusual patterns in user and host behavior that may indicate compromise or insider threats.

4. Enrich entities: The entity store reconciles data from ingested logs, identity providers, and risk scores into a unified view of each entity.

   The entity store resolves entities using shared identity matching across sources, so a single real-world entity observed across multiple identity providers appears as one deduplicated record.

5. Investigate and respond: Use the Entity analytics page to review risk scores, surface anomalies, and prioritize investigations.

Entity analytics provides the following core capabilities that work together to give you a complete picture of entity risk across your environment.

Assign risk scores to hosts, users, and services based on detection alerts and asset criticality. The risk scoring engine runs on a recurring interval, using a weighted sum to calculate scores from 0 (lowest risk) to 100 (highest risk). Use risk scores to identify which entities require immediate attention and track how risk changes over time.

Use machine learning anomaly detection to identify suspicious behavior patterns — such as unusual login locations, atypical process execution, or abnormal network activity — that rule-based detections might miss. Prebuilt machine learning jobs are tailored to common security use cases.

Define custom groups of entities — such as executives or critical infrastructure hosts — and factor watchlist membership directly into entity risk scoring. A built-in Privileged Users watchlist automatically pulls in administrative users from Active Directory and Oktaintegrations.

Link multiple entity records that represent the same real-world identity into a resolution group. The primary entity aggregates risk scores from all linked records, giving you a consolidated view across identity providers such as Okta, Active Directory, and Entra ID.

Investigate entity connections and relationships directly from the entity details flyout. The overview panel shows a graph preview of the entity's connections over the last 30 days, and the Graph View tab in the expanded panel provides a full interactive investigation experience. Graph visualization requires entity store to be enabled and populated in the active space.

Track the activity of users with elevated permissions, such as system administrators or users with access to sensitive data. Identify suspicious activities like over-provisioning of rights or potential insider threats before they cause damage.

• Turn on risk scoring to begin calculating entity risk scores.
• Enable the entity store for centralized entity management.
• Set up anomaly detection to identify behavioral threats.
• Assign asset criticality to prioritize high-value entities.
• Create watchlists to factor entity group membership into risk scoring.
• Explore host, user, and network data across your environment.