
Entity risk scoring

Entity risk scoring is an advanced Elastic Security analytics feature that helps security analysts detect changes in an entity’s risk posture, hunt for new threats, and prioritize incident response.

Entity risk scoring allows you to monitor risk score changes of hosts and users in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host and user risk scores from the last 30 days.

It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all Elastic Security use cases, and allows you to customize and control how and when risk is calculated.

Entity risk scores are determined by the following risk inputs:

Risk input Storage location
Alerts .alerts-security.alerts-<space-id> index alias
Asset criticality level .asset-criticality.asset-criticality-<space-id> index alias

The resulting entity risk scores are stored in the risk-score.risk-score-<space-id> data stream alias.


Entities without any alerts, or with only Closed alerts, are not assigned a risk score.

  1. The risk scoring engine runs hourly to aggregate Open and Acknowledged alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts.


    When turning on the risk engine, you can choose to also include Closed alerts in risk scoring calculations.

  2. The engine groups alerts by host.name or user.name, and aggregates the individual alert risk scores (kibana.alert.risk_score) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the Alerts category in the entity’s risk summary.

  3. The engine then verifies the entity’s asset criticality level. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the Alerts category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the Asset Criticality category in the entity’s risk summary.

    Asset criticality level Default risk weight
    Low impact 0.5
    Medium impact 1
    High impact 1.5
    Extreme impact 2

    Asset criticality levels and default risk weights are subject to change.

  4. Based on the two risk inputs, the risk scoring engine generates a single entity risk score of 0-100. It assigns a risk level by mapping the risk score to one of these levels:

    Risk level Risk score
    Unknown < 20
    Low 20-40
    Moderate 40-70
    High 70-90
    Critical > 90

Learn how to turn on the risk scoring engine.