Turn on the risk scoring engine
editTurn on the risk scoring engine
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
To use entity risk scoring, your role must have the appropriate privileges. For more information, refer to Entity risk scoring requirements.
Preview risky entities
editYou can preview risky entities before installing the latest risk engine. The preview shows the riskiest hosts and users found in the 1000 sampled entities during the time frame selected in the date picker.
The preview is limited to two risk scores per Kibana instance.
To preview risky entities, find Entity Risk Score in the navigation menu or by using the global search field.
Turn on the latest risk engine
edit- To view risk score data, you must have alerts generated in your environment.
- If you previously installed the original user and host risk score modules, and you’re upgrading to Elastic Stack version 8.11 or newer, refer to Upgrade to the latest risk engine.
If you’re installing the risk scoring engine for the first time:
- Find Entity Risk Score in the navigation menu.
- On the Entity Risk Score page, turn the toggle on.
You can also choose to include Closed
alerts in risk scoring calculations and specify a date and time range for the calculation.
Upgrade to the latest risk engine
editIf you upgraded to 8.11 from an earlier Elastic Stack version, and you have the original risk engine installed, you can upgrade to the latest risk engine. You will be prompted to upgrade in places where risk score data exists, such as:
- The Entity Analytics dashboard
- The User risk tab on the Users page
- The User risk tab on a user’s details page
- The Host risk tab on the Hosts page
- The Host risk tab on a host’s details page
- Click Manage in the upgrade prompt, or find Entity Risk Score in the navigation menu.
-
On the Entity Risk Score page, click Start update next to the Update available label.
- On the confirmation message, click Yes, update now. The old transform is removed and the latest risk engine is installed.
-
When the installation is complete, confirm that the Entity risk score toggle is on.
Previous risk score data is retained when you upgrade to the latest risk engine.