Stores information related to the risk score of an entity. Next ID: 15
JSON representation |
---|
{ "risk_version": string, "risk_window": { object ( |
Fields | |
---|---|
risk_version |
Version of the risk score calculation algorithm. |
risk_window |
Time window used when computing the risk score for an entity, for example 24 hours or 7 days. |
DEPRECATED_risk_score |
Deprecated risk score. |
detections_count |
Number of detections that make up the risk score within the time window. |
first_detection_time |
Timestamp of the first detection within the specified time window. This field is empty when there are no detections. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
last_detection_time |
Timestamp of the last detection within the specified time window. This field is empty when there are no detections. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
risk_score |
Raw risk score for the entity. |
normalized_risk_score |
Normalized risk score for the entity. This value is between 0-1000. |
risk_window_size |
Risk window duration for the entity. A duration in seconds with up to nine fractional digits, ending with ' |
last_reset_time |
Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
detail_uri |
Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. |
risk_window_has_new_detections |
Whether there are new detections for the risk window. |
risk_delta |
Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. |
raw_risk_delta |
Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. |
RiskDelta
Describes the difference in risk score between two points in time.
JSON representation |
---|
{ "previous_range_end_time": string, "risk_score_delta": integer, "previous_risk_score": integer, "risk_score_numeric_delta": integer } |
Fields | |
---|---|
previous_range_end_time |
End time of the previous time window. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
risk_score_delta |
Difference in the normalized risk score from the previous recorded value. |
previous_risk_score |
Risk score from previous risk window |
risk_score_numeric_delta |
Numeric change between current and previous risk score |