The Entity Risk Score (ERS) is an enhanced version of the original risk score in Splunk Enterprise Security. It measures the overall risk level of an entity, such as a user or asset, based on findings associated with that entity. It's calculated over the past 7 days and normalized to a range of 0 to 100. The ERS uses a scheduled search called Risk - EWA Entity Risk Score Calculation to calculate risk scores for all entities that have at least one intermediate finding from the past 7 days. The search runs every 20 minutes by default.

The new ERS is a weighted average of the following components for findings in the Risk Index:

• The sum of all calculated_risk_score values across intermediate findings

• The maximum calculated_risk_score observed on any intermediate finding

• The number of intermediate findings with a calculated_risk_score ≥ 50

• The total count of intermediate findings

• The sum of risk across different detections, utilizing the highest risk score from each detection.