---
title: Entity analytics
description: Assess entity risk for hosts, users, and services, detect behavioral anomalies with machine learning, and monitor privileged users in Elastic Security.
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics
products:
- Elastic Cloud Serverless
- Elastic Security
applies_to:
- Serverless Security projects: Generally available
- Elastic Stack: Generally available
---
# Entity analytics
Entity analytics helps security teams detect emerging threats by assessing the risk posture of hosts, users, and services across your environment. It combines the SIEM detection engine with machine learning to score entity risk, identify anomalous behavior, and surface insider threats, so you can prioritize investigations and respond faster.
Rather than triaging alerts one at a time, entity analytics continuously evaluates risk using detection alerts, asset criticality assignments, and behavioral anomalies. You can focus on the entities that pose the greatest risk and investigate the full pattern of activity behind each score.
## Where to start
| Your goal | Start here |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Set up entity risk scoring for the first time | [Entity risk scoring requirements](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements) → [Turn on risk scoring](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine) |
| Monitor risk scores for hosts, users, and services | [Entity risk scoring](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/entity-risk-scoring) → [View and analyze risk score data](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data) |
| Detect behavioral anomalies with machine learning | [Advanced behavioral detections](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/advanced-behavioral-detections) → [Anomaly detection](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/anomaly-detection) |
| Prioritize high-value assets | [Asset criticality](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/asset-criticality) |
| Elastic Stack: Generally available since 9.4 Elastic Cloud Serverless: Planned Manage watchlists and factor membership into risk scoring | [Watchlists](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/watchlists) |
| Elastic Stack: Generally available since 9.4 Elastic Cloud Serverless: Planned Link entity records representing the same real-world identity | [Entity resolution](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/entity-resolution) |
| Elastic Stack: Preview since 9.4 Elastic Cloud Serverless: Planned Hunt for threats using AI-generated leads | [Entity analytics overview](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/overview) |
| Elastic Stack: Preview since 9.4 Elastic Cloud Serverless: Planned Investigate entity connections and relationships in a graph | [View entity details > Visualizations](/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/view-entity-details#visualizations) |
| Elastic Stack: Deprecated in 9.4, Elastic Stack: Generally available in 9.3, Elastic Stack: Preview from 9.1 to 9.2 Monitor privileged user activity | [Privileged user monitoring](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/privileged-user-monitoring) |
## How entity analytics works
Entity analytics operates continuously across several stages:
1. **Collect data:** The risk scoring engine ingests detection alerts, asset criticality levels, and privileged user designations from across your Elastic Security deployment.
2. **Score risk:** The engine calculates risk scores (0–100) for hosts, users, and services based on alert severity, frequency, and asset criticality. Scores are recalculated on a recurring interval.
3. **Detect anomalies:** Prebuilt machine learning jobs identify unusual patterns in user and host behavior that may indicate compromise or insider threats.
4. **Enrich entities:** The [entity store](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/entity-store) reconciles data from ingested logs, identity providers, and risk scores into a unified view of each entity.
Elastic Stack: Generally available since 9.4 Elastic Cloud Serverless: Planned The entity store resolves entities using shared identity matching across sources, so a single real-world entity observed across multiple identity providers appears as one deduplicated record.
5. **Investigate and respond:** Use the [Entity analytics page](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/overview) to review risk scores, surface anomalies, and prioritize investigations.
## Key capabilities
Entity analytics provides the following core capabilities that work together to give you a complete picture of entity risk across your environment.
### Entity risk scoring
Assign risk scores to hosts, users, and services based on detection alerts and asset criticality. The risk scoring engine runs on a recurring interval, using a weighted sum to calculate scores from 0 (lowest risk) to 100 (highest risk). Use risk scores to identify which entities require immediate attention and track how risk changes over time.
### Advanced behavioral detections
Use machine learning anomaly detection to identify suspicious behavior patterns — such as unusual login locations, atypical process execution, or abnormal network activity — that rule-based detections might miss. Prebuilt machine learning jobs are tailored to common security use cases.
### Watchlists
- Elastic Cloud Serverless: Generally available
- Elastic Stack: Generally available since 9.4
Define custom groups of entities — such as executives or critical infrastructure hosts — and factor watchlist membership directly into entity risk scoring. A built-in **Privileged Users** watchlist automatically pulls in administrative users from [Active Directory](https://docs-v3-preview.elastic.dev/elastic/integration-docs/tree/main/reference/entityanalytics_ad) and [Okta](https://docs-v3-preview.elastic.dev/elastic/integration-docs/tree/main/reference/entityanalytics_okta)integrations.
### Entity resolution
- Elastic Cloud Serverless: Generally available
- Elastic Stack: Generally available since 9.4
Link multiple entity records that represent the same real-world identity into a resolution group. The primary entity aggregates risk scores from all linked records, giving you a consolidated view across identity providers such as Okta, Active Directory, and Entra ID.
### Graph visualization
- Elastic Cloud Serverless: Planned
- Elastic Stack: Preview since 9.4
Investigate entity connections and relationships directly from the entity details flyout. The overview panel shows a graph preview of the entity's connections over the last 30 days, and the **Graph View** tab in the expanded panel provides a full interactive investigation experience. Graph visualization requires [entity store](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/entity-store) to be enabled and populated in the active space.
### Privileged user monitoring
- Elastic Stack: Deprecated in 9.4
- Elastic Stack: Generally available in 9.3
- Elastic Stack: Preview from 9.1 to 9.2
Track the activity of users with elevated permissions, such as system administrators or users with access to sensitive data. Identify suspicious activities like over-provisioning of rights or potential insider threats before they cause damage.
## Next steps
- [Turn on risk scoring](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine) to begin calculating entity risk scores.
- [Enable the entity store](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/entity-store) for centralized entity management.
- [Set up anomaly detection](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/anomaly-detection) to identify behavioral threats.
- [Assign asset criticality](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/asset-criticality) to prioritize high-value entities.
- Elastic Stack: Generally available since 9.4 Elastic Cloud Serverless: Generally available [Create watchlists](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/watchlists) to factor entity group membership into risk scoring.
- [Explore host, user, and network data](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/explore) across your environment.