Expand description
Post-engine risk-based alerting layer.
An optional stage in the daemon sink path, between post-evaluation enrichment and the alert pipeline, modeled on Splunk RBA and Entity Risk Scoring. It runs in two stages:
- Stage one (risk annotation): each firing detection is assigned a risk
score and one or more risk objects (entities such as
user,host,src_ip). The score and objects are injected intoheader.enrichmentsunder the reservedrisk.score/risk.objectskeys, and, whenemit_risk_eventsis set, a compact risk event is emitted per(detection, risk object)pair.
The layer is strictly post-engine: it consumes EvaluationResults and
emits annotated EvaluationResults plus additive risk events, so the
evaluation hot path is untouched. The immutable, validated config
(RiskLayer) is built from a YAML file and swapped atomically on
hot-reload.
Structs§
- Entity
Snapshot - One tracked entity’s window.
- Incident
Config - Validated risk-incident configuration.
- Incident
File incident:block.- Object
File objects:entry.- Risk
Caps - Bounds on accumulator growth, with an eviction metric when exceeded.
- Risk
Caps File incident.caps:block.- Risk
Entity View - A read-only view of one open entity, served by
GET /api/v1/risk. - Risk
File - Top-level risk config file.
- Risk
Incident Result - The wire shape emitted when an entity crosses a risk threshold. One flat
NDJSON object, disambiguated downstream by the presence of
risk_incident_id. - Risk
Layer - A validated, runnable risk layer.
- Risk
Object - A single extracted risk object.
- Risk
Output - Output of
RiskLayer::process: the annotated pass-through results and the additive risk events (opt-in). - RiskRef
- A lightweight reference to a contributing detection.
- Risk
State - The in-memory accumulator, owned single-threaded by the sink task (shared
behind an
RwLocksoGET /api/v1/riskcan read it). - Risk
State Snapshot - A point-in-time capture of the whole accumulator.
- Scope
Config scope:block, mirroring the alert-pipeline config.- Score
File score:block.
Enums§
- Include
Label incident.includelabel.- Include
Mode - How much contributing-detection detail to embed in a
RiskIncidentResult. - Reducer
Label score.tag_reducerlabel.- Risk
Config Error - Errors produced while loading or validating a risk config.
Constants§
- DEFAULT_
SCORE_ ATTRIBUTE - The default custom-attribute key carrying an explicit per-rule score.
- SNAPSHOT_
VERSION - Snapshot format version. Bump on any breaking change to the layout below; a loaded snapshot whose version differs is discarded and the accumulator starts empty.
Functions§
- build_
risk_ layer - Validate a parsed file into a runnable
RiskLayer. - load_
risk_ file - Read and deserialize a risk config file.
- parse_
risk_ config - Parse and validate a risk config from a YAML string.