Skip to main content
Question

Entity Risk Analytic Detection

  • January 28, 2026
  • 2 replies
  • 30 views
Gooble
Forum|alt.badge.img+4


Based on this page: https://docs.cloud.google.com/chronicle/docs/detection/risk-based-alerting
I'm testing a rule alerting on user having a high risk score, and triggering only it has multiple detections, and only if the risk score is increasing. 

 

events:
        $e.metadata.event_type = "ENTITY_RISK_CHANGE"
        $e.extracted.fields["about[0].resource.resourceSubtype"] = ""
        // Deduplication
        $e.extensions.entity_risk.risk_window_has_new_detections = true
        // alert only if there is multiple detections for same entity.
        $e.extracted.fields["extensions.entityRisk.detectionsCount"] >= "2"
        // Ensure the risk score actually went up using the Delta
        $e.extensions.entity_risk.risk_delta.risk_score_delta > 0
        // risk score condition
        $e.extensions.entity_risk.normalized_risk_score >= 700 AND $e.extensions.entity_risk.risk_score >= 100
        // filtering out noisy activity and non actionable entity
        ($e.about.user.email_addresses != "" or $e.about.user.userid != "")
        $e.about.user.email_addresses != /(@gmail\.com)$/
        $e.about.user.email_addresses != "system@okta.com"
        $e.about.user.userid != /^(0|\d+)$/

        //placeholders
        $user_email = $e.about.user.email_addresses
        $user_id = $e.about.user.userid
    
    match:
        $user_email,$user_id over 10m
        
        
    outcome:
        $vendor_name = array_distinct($e.metadata.vendor_name)
        $product_name = array_distinct($e.metadata.product_name)

        $entity_risk_score_normalized = max($e.extensions.entity_risk.normalized_risk_score)
        $entity_previous_risk_score = max($e.extensions.entity_risk.risk_delta.previous_risk_score)
        $entity_risk_score = max($e.extensions.entity_risk.risk_score)
        $detection_count = array_distinct($e.extracted.fields["extensions.entityRisk.detectionsCount"])
        $entity_risk_link = array_distinct($e.extensions.entity_risk.detail_uri)

        // Reset risk score to prevent feedback
        $risk_score = 0

  condition:
    $e

  options:
    allow_zero_values = true //to keep events when an aggregated field is empty.
    suppression_window = 24h

  


However, the same user is triggering even if there is no new detection mapped to this user, expect the detection that’s triggering for this rule, but the risk score in the rule is set to 0. And while the risk score is decreasing or constant in risk analytic dashboard, it's still triggering, no matter if I’m using delta or previous score to compare with actual score.
Am I using the right fields for such detection? Should I use 1 day risk_window_size instead of a week?


For info, here are the available field names related to risk. 

    extensions.entity_risk.normalized_risk_score = 996
    extensions.entity_risk.raw_risk_delta.risk_score_delta = 100
    extensions.entity_risk.raw_risk_delta.risk_score_numeric_delta = 324
    extensions.entity_risk.risk_delta.previous_risk_score = 1
    extensions.entity_risk.risk_delta.risk_score_delta = 999
    extensions.entity_risk.risk_delta.risk_score_numeric_delta = 995
    extensions.entity_risk.risk_score = 324
    extensions.entity_risk.risk_window_has_new_detections = true
    extensions.entity_risk.risk_window_size.seconds = 604800
    extensions.entity_risk.detections_count = 26

 

    2 replies

    kentphelps
    Staff
    Forum|alt.badge.img+11
    • kentphelps
    • Staff
    • February 17, 2026

    Have you looked at using risk_score_numeric_delta rather than risk_delta ?  risk_delta is a percentage while risk_score_numeric_delta is the actual point increase.

     

     

    Asura
    Forum|alt.badge.img
    • Asura
    • February 17, 2026

    Hello ​@Gooble,

     

    I think that putting $risk_score = 0 in your rule, does not mean that you are resetting the risk score of the entity to 0.

    From my understanding it just mean that when your rule triggers, it will not add additional risk score to the entity triggering the rule.

     

    As you know, risk score is = max(risk_score) + sum of remaining risk score.

    The recommendation of putting $risk_score = 0 is to avoid increasing the scoring of your entity “for nothing” making some sort of “infinite loop”.

     

    I think that you will have to leverage some playbook automation to put the risk score of the entity triggering your threshold rule to 0 (that is what we had to do on our side).

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.