Skip to main content

Module risk

Module risk 

Source
Expand description

Post-engine risk-based alerting layer.

An optional stage in the daemon sink path, between post-evaluation enrichment and the alert pipeline, modeled on Splunk RBA and Entity Risk Scoring. It runs in two stages:

  • Stage one (risk annotation): each firing detection is assigned a risk score and one or more risk objects (entities such as user, host, src_ip). The score and objects are injected into header.enrichments under the reserved risk.score / risk.objects keys, and, when emit_risk_events is set, a compact risk event is emitted per (detection, risk object) pair.

The layer is strictly post-engine: it consumes EvaluationResults and emits annotated EvaluationResults plus additive risk events, so the evaluation hot path is untouched. The immutable, validated config (RiskLayer) is built from a YAML file and swapped atomically on hot-reload.

Structs§

EntitySnapshot
One tracked entity’s window.
IncidentConfig
Validated risk-incident configuration.
IncidentFile
incident: block.
ObjectFile
objects: entry.
RiskCaps
Bounds on accumulator growth, with an eviction metric when exceeded.
RiskCapsFile
incident.caps: block.
RiskEntityView
A read-only view of one open entity, served by GET /api/v1/risk.
RiskFile
Top-level risk config file.
RiskIncidentResult
The wire shape emitted when an entity crosses a risk threshold. One flat NDJSON object, disambiguated downstream by the presence of risk_incident_id.
RiskLayer
A validated, runnable risk layer.
RiskObject
A single extracted risk object.
RiskOutput
Output of RiskLayer::process: the annotated pass-through results and the additive risk events (opt-in).
RiskRef
A lightweight reference to a contributing detection.
RiskState
The in-memory accumulator, owned single-threaded by the sink task (shared behind an RwLock so GET /api/v1/risk can read it).
RiskStateSnapshot
A point-in-time capture of the whole accumulator.
ScopeConfig
scope: block, mirroring the alert-pipeline config.
ScoreFile
score: block.

Enums§

IncludeLabel
incident.include label.
IncludeMode
How much contributing-detection detail to embed in a RiskIncidentResult.
ReducerLabel
score.tag_reducer label.
RiskConfigError
Errors produced while loading or validating a risk config.

Constants§

DEFAULT_SCORE_ATTRIBUTE
The default custom-attribute key carrying an explicit per-rule score.
SNAPSHOT_VERSION
Snapshot format version. Bump on any breaking change to the layout below; a loaded snapshot whose version differs is discarded and the accumulator starts empty.

Functions§

build_risk_layer
Validate a parsed file into a runnable RiskLayer.
load_risk_file
Read and deserialize a risk config file.
parse_risk_config
Parse and validate a risk config from a YAML string.