EntityRisk

Stores information related to the risk score of an entity. Next ID: 15

JSON representation
{
  "risk_version": string,
  "risk_window": {
    object (Interval)
  },
  "DEPRECATED_risk_score": integer,
  "detections_count": integer,
  "first_detection_time": string,
  "last_detection_time": string,
  "risk_score": number,
  "normalized_risk_score": integer,
  "risk_window_size": string,
  "last_reset_time": string,
  "detail_uri": string,
  "risk_window_has_new_detections": boolean,
  "risk_delta": {
    object (RiskDelta)
  },
  "raw_risk_delta": {
    object (RiskDelta)
  }
}
Fields
risk_version

string

Version of the risk score calculation algorithm.

risk_window

object (Interval)

Time window used when computing the risk score for an entity, for example 24 hours or 7 days.

DEPRECATED_risk_score
(deprecated)

integer

Deprecated risk score.

detections_count

integer

Number of detections that make up the risk score within the time window.

first_detection_time

string (Timestamp format)

Timestamp of the first detection within the specified time window. This field is empty when there are no detections.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_detection_time

string (Timestamp format)

Timestamp of the last detection within the specified time window. This field is empty when there are no detections.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

risk_score

number

Raw risk score for the entity.

normalized_risk_score

integer

Normalized risk score for the entity. This value is between 0-1000.

risk_window_size

string (Duration format)

Risk window duration for the entity.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

last_reset_time

string (Timestamp format)

Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

detail_uri

string

Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL.

risk_window_has_new_detections

boolean

Whether there are new detections for the risk window.

risk_delta

object (RiskDelta)

Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window.

raw_risk_delta

object (RiskDelta)

Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window.

RiskDelta

Describes the difference in risk score between two points in time.

JSON representation
{
  "previous_range_end_time": string,
  "risk_score_delta": integer,
  "previous_risk_score": integer,
  "risk_score_numeric_delta": integer
}
Fields
previous_range_end_time

string (Timestamp format)

End time of the previous time window.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

risk_score_delta

integer

Difference in the normalized risk score from the previous recorded value.

previous_risk_score

integer

Risk score from previous risk window

risk_score_numeric_delta

integer

Numeric change between current and previous risk score