Specify entity risk score in rules

This document describes how to use entity risk score information in rules. This process is similar way to using entity context in rules. For more information, see Creating context-aware analytics.

To retrieve an entity risk score, join an entity with a UDM event and retrieve the specified field from EntityRisk.

The following example shows how to check whether an entity with a username matching the UDM event has a normalized risk score that is greater than 100.

rule EntityRiskScore {
  meta:
  events:
    $log_in.metadata.event_type = "USER_LOGIN"
    $log_in.principal.hostname = $host

    $risk_score.graph.entity.hostname = $host
    $risk_score.graph.risk_score.risk_window_size.seconds = 604800

  match:
    $host over 2m

  outcome:
    $entity_risk_score = max($risk_score.graph.risk_score.normalized_risk_score)

  condition:
    $log_in and $risk_score and $entity_risk_score > 100
}

The only possible risk windows for entity risk score rules are either 24 hours or 7 days (86,400 or 604,800 seconds respectively). If you don't include the risk window size in the rule, the rule will return inaccurate results.

Entity risk score data is stored separately from entity context data. To use both in a rule, the rule must have two separate entity events, one for the entity context and one for the entity risk score, as shown as in the following example:

rule EntityContextAndRiskScore {
  meta:
  events:
    $log_in.metadata.event_type = "USER_LOGIN"
    $log_in.principal.hostname = $host

    $context.graph.entity.hostname = $host
    $context.graph.metadata.entity_type = "ASSET"

    $risk_score.graph.entity.hostname = $host
    $risk_score.graph.risk_score.risk_window_size.seconds = 604800

  match:
    $host over 2m

  outcome:
    $entity_risk_score = max($risk_score.graph.risk_score.normalized_risk_score)

  condition:
    $log_in and $context and $risk_score and $entity_risk_score > 100
}