Description
The previous standalone "risk engine" has been replaced by a new "risk score maintainer" that is integrated directly into the Entity Store. This is a breaking change as the scoring model, entity identification, and setup workflow have all changed.
High level changes
1. Risk scoring is now part of Entity Store setup
Previously, the risk engine had its own dedicated setup/enablement flow, users had to separately enable the risk engine and the entity store. In v2, risk scoring is automatically enabled as part of Entity Store setup. There is no longer a separate "enable risk engine" step.
What stays the same: Risk scoring still runs on an hourly schedule. Users can still configure the scoring interval and trigger manual runs in the same way as before.
2. Only entities in the Entity Store are scored
The previous risk engine scored all alerts that had a recognisable entity name (a user.name, host.name, or service.name field). This meant risk scores could appear for entities that were not enrolled in the Entity Store.
The new risk score maintainer only scores entities that already exist in the Entity Store. If an alert references a host or user that is not enrolled, that alert will not contribute to any risk score. This is a deliberate change, risk scoring is now tightly coupled to the Entity Store as the source of truth for which entities are tracked.
3. Entity identification uses EUID instead of name fields
Previously, entities were identified by their name fields (user.name, host.name). The new system uses Entity Unique Identifiers (EUIDs) - stable, structured identifiers computed from the entity's identity fields (e.g. host:<id>, user:<email@namespace>). This means risk scores are tied to a resolved entity identity rather than a potentially ambiguous name string.
4. Resolution scoring
This is the biggest new capability. When entities share a resolution target (i.e. they have been resolved as representing the same real-world entity), the risk score maintainer produces a resolution group score in addition to each entity's individual (base) score.
Resolution scoring works as follows:
- Alert aggregation: All alerts from all members of a resolution group are combined and scored together, producing a single resolution group score. This score will typically be higher than any individual member's base score because it incorporates alerts from multiple entity records.
- Watchlist membership: The resolution group score includes watchlist membership from all members of the group (union of all watchlists).
- Asset criticality: The resolution group score uses the highest asset criticality value from any member of the group.
- Related entities: The resolution score document includes a list of the contributing entity aliases in the group.
Resolution scores appear in the UI alongside base scores (see UI changes below).
tore knows about an entity and how that entity is scored.
UI changes
Entity flyout - risk summary
- The entity flyout risk summary now shows two score cards when resolution scoring is active:
- Entity risk score- the individual entity's base risk score
- Resolution group risk score- the combined score for the entity's resolution group (only shown when a resolution score exists)
Risk contributions tab
- When a resolution score exists, the risk contributions tab shows a toggle between entity-level and resolution-level contributions.
- In resolution view, both the Contexts and Alerts tables include an Entity ID column showing which member of the resolution group contributed each item.
- Watchlist rows display watchlist names (not just IDs).
- For context rows (watchlists and asset criticality), attribution can show multiple entity IDs when multiple members of the group match.
- Entity ID links open preview-mode entity flyouts for navigation without replacing the current flyout.
Preview API
- The risk score preview API now returns EUID-based identifiers (
entity.id) when Entity Store V2 is enabled.
- Preview shows base scores only (resolution scoring requires persistent state and is excluded from preview).
Resources
| PR |
Title |
Summary |
| elastic/kibana#259732 |
EUID-based risk scoring and entity resolution via Entity Store maintainer |
Core backend implementation: new scoring pipeline, EUID-based identity, Entity Store integration, resolution scoring engine, modifier sourcing, reset mechanism |
| hop-dev/kibana#1 |
Risk score maintainer phase 2: lookup sync and resolution scoring |
Resolution scoring engine: lookup index sync, resolution group scoring via LOOKUP JOIN, group-level modifier merging (max criticality, union watchlists) |
| elastic/kibana#260984 |
Show resolution group score in the entity flyout and risk contributions |
UI changes: entity flyout dual score cards, risk contributions resolution view, inline entity attribution, watchlist name display |
Which deployment methods does this change impact?
Unknown
Feature differences
| Aspect |
Legacy Risk Engine (v1) |
Risk Score Maintainer (v2) |
| Setup |
Separate enablement step |
Enabled automatically with Entity Store setup |
| Entity identification |
user.name / host.name / service.name |
EUID (stable entity identity) |
| Which entities are scored |
All alerts with a recognised name field |
Only entities enrolled in the Entity Store |
| Modifier source |
Separate queries to asset criticality + privmon indices |
Read directly from Entity Store documents |
| Watchlist model |
Hardcoded is_privileged_user boolean |
Generic named watchlists with configurable risk modifiers |
| Resolution scoring |
Not supported |
Scores resolution groups with combined alerts, max criticality, and union of watchlists |
| Score persistence |
Risk index only |
Dual-write: risk index + Entity Store documents |
| Score types |
Single score per entity |
Base score + resolution group score (when applicable) |
| Schedule |
Hourly (configurable) |
Hourly (configurable)- unchanged |
| Manual runs |
Supported |
Supported - unchanged |
| Reset mechanism |
In-memory exclusion list per run |
Run-aware stale detection using calculation_run_id |
What Elastic Stack release is this request related to?
9.4
Serverless release
No response
Collaboration model
Unknown
Point of contact.
Main contact: @hop-dev
Stakeholders: @jaredburgettelastic
Description
The previous standalone "risk engine" has been replaced by a new "risk score maintainer" that is integrated directly into the Entity Store. This is a breaking change as the scoring model, entity identification, and setup workflow have all changed.
High level changes
1. Risk scoring is now part of Entity Store setup
Previously, the risk engine had its own dedicated setup/enablement flow, users had to separately enable the risk engine and the entity store. In v2, risk scoring is automatically enabled as part of Entity Store setup. There is no longer a separate "enable risk engine" step.
What stays the same: Risk scoring still runs on an hourly schedule. Users can still configure the scoring interval and trigger manual runs in the same way as before.
2. Only entities in the Entity Store are scored
The previous risk engine scored all alerts that had a recognisable entity name (a
user.name,host.name, orservice.namefield). This meant risk scores could appear for entities that were not enrolled in the Entity Store.The new risk score maintainer only scores entities that already exist in the Entity Store. If an alert references a host or user that is not enrolled, that alert will not contribute to any risk score. This is a deliberate change, risk scoring is now tightly coupled to the Entity Store as the source of truth for which entities are tracked.
3. Entity identification uses EUID instead of name fields
Previously, entities were identified by their name fields (
user.name,host.name). The new system uses Entity Unique Identifiers (EUIDs) - stable, structured identifiers computed from the entity's identity fields (e.g.host:<id>,user:<email@namespace>). This means risk scores are tied to a resolved entity identity rather than a potentially ambiguous name string.4. Resolution scoring
This is the biggest new capability. When entities share a resolution target (i.e. they have been resolved as representing the same real-world entity), the risk score maintainer produces a resolution group score in addition to each entity's individual (base) score.
Resolution scoring works as follows:
Resolution scores appear in the UI alongside base scores (see UI changes below).
tore knows about an entity and how that entity is scored.
UI changes
Entity flyout - risk summary
Risk contributions tab
Preview API
entity.id) when Entity Store V2 is enabled.Resources
Which deployment methods does this change impact?
Unknown
Feature differences
user.name/host.name/service.nameis_privileged_userbooleancalculation_run_idWhat Elastic Stack release is this request related to?
9.4
Serverless release
No response
Collaboration model
Unknown
Point of contact.
Main contact: @hop-dev
Stakeholders: @jaredburgettelastic