EntityRisk

Stores information related to the risk score of an entity. Next ID: 15

JSON representation 
{
  "riskVersion": string,
  "riskWindow": {
    object (Interval)
  },
  "DEPRECATEDRiskScore": integer,
  "detectionsCount": integer,
  "firstDetectionTime": string,
  "lastDetectionTime": string,
  "riskScore": number,
  "normalizedRiskScore": integer,
  "riskWindowSize": string,
  "lastResetTime": string,
  "detailUri": string,
  "riskWindowHasNewDetections": boolean,
  "riskDelta": {
    object (RiskDelta)
  },
  "rawRiskDelta": {
    object (RiskDelta)
  }
}
Fields
riskVersion

string

Version of the risk score calculation algorithm.
riskWindow

object (Interval)

Time window used when computing the risk score for an entity, for example 24 hours or 7 days.
DEPRECATEDRiskScore
(deprecated)

integer

Deprecated risk score.
detectionsCount

integer

Number of detections that make up the risk score within the time window.
firstDetectionTime

string (Timestamp format)

Timestamp of the first detection within the specified time window. This field is empty when there are no detections.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
lastDetectionTime

string (Timestamp format)

Timestamp of the last detection within the specified time window. This field is empty when there are no detections.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
riskScore

number

Raw risk score for the entity.
normalizedRiskScore

integer

Normalized risk score for the entity. This value is between 0-1000.
riskWindowSize

string (Duration format)

Risk window duration for the entity.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".
lastResetTime

string (Timestamp format)

Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
detailUri

string

Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL.
riskWindowHasNewDetections

boolean

Whether there are new detections for the risk window.
riskDelta

object (RiskDelta)

Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window.
rawRiskDelta

object (RiskDelta)

Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window.

RiskDelta

Describes the difference in risk score between two points in time.

JSON representation 
{
  "previousRangeEndTime": string,
  "riskScoreDelta": integer,
  "previousRiskScore": integer,
  "riskScoreNumericDelta": integer
}
Fields
previousRangeEndTime

string (Timestamp format)

End time of the previous time window.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
riskScoreDelta

integer

Difference in the normalized risk score from the previous recorded value.
previousRiskScore

integer

Risk score from previous risk window
riskScoreNumericDelta

integer

Numeric change between current and previous risk score