...
The above mapping allows the risk processor to identify the entities within the alerts to calculate the risk and then appropriately map them to the display in the application.
entity.behavior.risk.events overview
entity: Name of entity
total_risk: Culmunative (sum) risk score
related: All related entities observed
last_risk: Time of the most recent alert/anomaly signal observed
alert_metrics_secops: Total number of observed SecOps alerts
alert_metrics_ueba: Total number of observed anomaly signals
priority_metrics_high: Total number of observed SecOps alerts that were of severity "High"
prioirity_metrics_critical: Total number of observed SecOps alerts that were of severity "Critical"
entity_risk: Normalized risk score for this entity's type
entity_type: Type of entity
global_risk: Normalized risk score for all entities
unique_alerts: Unique or distinct number of alerts observed
unique_techiniques: Unique or distinct number of Mitre techniques observed
unique_tactics: Unique or distinct number of Mitre tactics observed