Stores information related to the risk score of an entity. Next ID: 15
| JSON representation |
|---|
{ "risk_version" : string , "risk_window" : { object ( |
| Fields | |
|---|---|
risk_version
|
Version of the risk score calculation algorithm. |
risk_window
|
Time window used when computing the risk score for an entity, for example 24 hours or 7 days. |
DEPRECATED_risk_score
|
Deprecated risk score. |
detections_count
|
Number of detections that make up the risk score within the time window. |
first_detection_time
|
Timestamp of the first detection within the specified time window. This field is empty when there are no detections. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
last_detection_time
|
Timestamp of the last detection within the specified time window. This field is empty when there are no detections. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
risk_score
|
Raw risk score for the entity. |
normalized_risk_score
|
Normalized risk score for the entity. This value is between 0-1000. |
risk_window_size
|
Risk window duration for the entity. A duration in seconds with up to nine fractional digits, ending with ' |
last_reset_time
|
Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
detail_uri
|
Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. |
risk_window_has_new_detections
|
Whether there are new detections for the risk window. |
risk_delta
|
Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. |
raw_risk_delta
|
Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. |
RiskDelta
Describes the difference in risk score between two points in time.
| JSON representation |
|---|
{ "previous_range_end_time" : string , "risk_score_delta" : integer , "previous_risk_score" : integer , "risk_score_numeric_delta" : integer } |
| Fields | |
|---|---|
previous_range_end_time
|
End time of the previous time window. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
risk_score_delta
|
Difference in the normalized risk score from the previous recorded value. |
previous_risk_score
|
Risk score from previous risk window |
risk_score_numeric_delta
|
Numeric change between current and previous risk score |
