This document describes how to use entity risk scores in rules. In rules, entity
risk scores behave in a way that is similar to entity context. You can write YARA-L
2.0 rules to use risk scores as the main detection method. For more
information about rules on risk analytics, see Create rules for Risk
Analytics. For more information
on more risk-based context, see Creating context-aware
analytics.
To retrieve an entity risk score, join an entity with a UDM event and retrieve
the specified field from
EntityRisk.
The following example shows how to create a rule to generate detections on
any entity hostname whose risk score is greater than 100.
rule EntityRiskScore {
meta:
events:
$e1.principal.hostname != ""
$e1.principal.hostname = $hostname
$e2.graph.entity.hostname = $hostname
$e2.graph.risk_score.risk_window_size.seconds = 86400 // 24 hours
$e2.graph.risk_score.risk_score >= 100
// Run deduplication across the risk score.
$rscore = $e2.graph.risk_score.risk_score
match:
// Dedup on hostname and risk score across a 4 hour window.
$hostname, $rscore over 4h
outcome:
// Force these risk score based rules to have a risk score of zero to
// prevent self feedback loops.
$risk_score = 0
condition:
$e1 and $e2
}
This example rule also performs a self deduplication using the match
section. If a rule detection might trigger, but the hostname and risk score
remain unchanged within a 4-hour window, no new detections will be created.
The only supported risk windows for entity risk score rules are either 24 hours
(86,400 seconds) or 7 days (604,800 seconds), respectively. If you don't specify
a risk window size in the rule, it will be set by default to either 24 hours or
7 days.
Entity risk score data is stored separately from entity context data. To use
both in a rule, the rule must have two separate entity events, one for the
entity context and one for the entity risk score, as shown as in the following
example:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eEntity risk scores can be used within YARA-L 2.0 rules as a primary method for detecting potential security threats, similar to how entity context is used.\u003c/p\u003e\n"],["\u003cp\u003eRules can be created to detect entity hostnames with risk scores exceeding a specified threshold, such as 100, by joining an entity with a UDM event and specifying the relevant field from EntityRisk.\u003c/p\u003e\n"],["\u003cp\u003eThe entity risk score rules use a deduplication feature within a specific timeframe, preventing redundant detections when the hostname and risk score remain unchanged.\u003c/p\u003e\n"],["\u003cp\u003eWhen incorporating both entity context and entity risk scores in a rule, two distinct entity events are necessary, one for each data type, as demonstrated in the example provided.\u003c/p\u003e\n"],["\u003cp\u003eThe only acceptable time window size for entity risk score rules is either 24 hours or 7 days, using 86,400 or 604,800 seconds, and inaccurate results can be returned if these are not included.\u003c/p\u003e\n"]]],[],null,["Specify entity risk score in rules \nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nThis document describes how to use entity risk scores in rules. In rules, entity\nrisk scores behave in a way that is similar to entity context. You can write YARA-L\n2.0 rules to use risk scores as the main detection method. For more\ninformation about rules on risk analytics, see [Create rules for Risk\nAnalytics](/chronicle/docs/detection/metrics-functions). For more information\non more risk-based context, see [Creating context-aware\nanalytics](/chronicle/docs/detection/context-aware-analytics).\n\nTo retrieve an entity risk score, join an entity with a UDM event and retrieve\nthe specified field from\n[EntityRisk](/chronicle/docs/reference/udm-field-list#entityrisk).\n\nThe following example shows how to create a rule to generate detections on\nany entity hostname whose risk score is greater than 100. \n\n rule EntityRiskScore {\n meta:\n events:\n $e1.principal.hostname != \"\"\n $e1.principal.hostname = $hostname\n\n $e2.graph.entity.hostname = $hostname\n $e2.graph.risk_score.risk_window_size.seconds = 86400 // 24 hours\n $e2.graph.risk_score.risk_score \u003e= 100\n\n // Run deduplication across the risk score.\n $rscore = $e2.graph.risk_score.risk_score\n\n match:\n // Dedup on hostname and risk score across a 4 hour window.\n $hostname, $rscore over 4h\n\n outcome:\n // Force these risk score based rules to have a risk score of zero to\n // prevent self feedback loops.\n $risk_score = 0\n\n condition:\n $e1 and $e2\n }\n\nThis example rule also performs a self deduplication using the match\nsection. If a rule detection might trigger, but the hostname and risk score\nremain unchanged within a 4-hour window, no new detections will be created.\n\nThe only supported risk windows for entity risk score rules are either 24 hours\n(86,400 seconds) or 7 days (604,800 seconds), respectively. If you don't specify\na risk window size in the rule, it will be set by default to either 24 hours or\n7 days.\n| **Note:** If you set multiple risk window sizes for your rules, verify they're consistent. Inconsistent windows can lead to inaccurate results due to data overlaps or gaps.\n\nEntity risk score data is stored separately from entity context data. To use\nboth in a rule, the rule must have two separate entity events, one for the\nentity context and one for the entity risk score, as shown as in the following\nexample: \n\n rule EntityContextAndRiskScore {\n meta:\n events:\n $log_in.metadata.event_type = \"USER_LOGIN\"\n $log_in.principal.hostname = $host\n\n $context.graph.entity.hostname = $host\n $context.graph.metadata.entity_type = \"ASSET\"\n\n $risk_score.graph.entity.hostname = $host\n $risk_score.graph.risk_score.risk_window_size.seconds = 604800\n\n match:\n $host over 2m\n\n outcome:\n $entity_risk_score = max($risk_score.graph.risk_score.normalized_risk_score)\n\n condition:\n $log_in and $context and $risk_score and $entity_risk_score \u003e 100\n }\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
