Evaluation of security policies in real-time for entities using graph as datastore

What is claimed is: 1 . A method comprising: retrieving, from a graph database, first data representing a first entity in a computing environment, a second entity in the computing environment, and an event associated with the first entity and the second entity, wherein the first entity and the second entity are stored in the graph database as properties of a first vertex and a second vertex, respectively, and wherein the event is stored in the graph database as a property of an edge between the first vertex and the second vertex; predicting, according to a risk indicator model, a risk associated with the first entity based at least in part on the event; and updating the graph database to include second data representing the risk and a risk indicator, wherein the risk indicator is stored in the graph database as a property of a third vertex, and wherein the risk is stored in the graph database as a property of an edge between the first vertex and the third vertex. 2 . The method of claim 1 , further comprising: generating an alert based at least in part on the risk; retrieving, from the graph database, information associated with the alert; evaluating the information against at least one policy associated with the first entity to determine whether the information satisfies at least one condition in the at least one policy; and causing, in response to determining that the information satisfies the at least one condition, an action to occur with respect to the first entity. 3 . The method of claim 2 , further comprising assigning, according to an entity risk scoring model, a risk score to the first entity based at least in part on the event and the risk, wherein the at least one condition is based at least in part on the risk score. 4 . The method of claim 3 , further comprising updating the graph database to include third data representing the risk score, wherein the risk score is stored in the graph database as an additional property of the edge between the first vertex and the third vertex. 5 . The method of claim 1 , further comprising: preprocessing at least one of the first data and/or the second data to produce enriched data, wherein the risk is predicted based at least in part on the enriched data; and updating the graph database to include the enriched data, wherein the enriched data is stored in the graph database as one or more additional properties of the first vertex and/or the edge between the first vertex and the third vertex. 6 . The method of claim 1 , further comprising: receiving an additional event associated with the first entity and the second entity; predicting, according to the risk indicator model, an additional risk associated with the first entity based at least in part on the additional event; and updating the graph database to include third data representing the additional risk, wherein the additional risk is stored in the graph database as an additional property of the edge between the first vertex and the third vertex. 7 . The method of claim 6 , further comprising: generating an additional alert based at least in part on the additional risk; retrieving, from the graph database, information associated with the additional alert; evaluating the information against at least one policy associated with the first entity to determine whether the information satisfies at least one condition in the at least one policy; and causing, in response to determining that the information satisfies the at least one condition, an additional action to occur with respect to the first entity. 8 . A non-transitory machine-readable medium having processor executable instructions encoded thereon that when executed by at least one processor cause a process to be carried out, the process comprising: retrieving, from a graph database, first data representing a first entity in a computing environment, a second entity in the computing environment, and an event associated with the first entity and the second entity, wherein the first entity and the second entity are stored in the graph database as properties of a first vertex and a second vertex, respectively, and wherein the event is stored in the graph database as a property of an edge between the first vertex and the second vertex; assigning, according to an entity risk scoring model, a risk score to the first entity based at least in part on the event; and updating the graph database to include second data representing the risk score and a risk indicator, wherein the risk indicator is stored in the graph database as a property of a third vertex, and wherein the risk score is stored in the graph database as a property of an edge between the first vertex and the third vertex. 9 . The non-transitory machine-readable medium of claim 8 , wherein the process further includes: generating an alert based at least in part on the risk score; retrieving, from the graph database, information associated with the alert; evaluating the information against at least one policy associated with the first entity to determine whether the information satisfies at least one condition in the at least one policy; and causing, in response to determining that the information satisfies the at least one condition, an action to occur with respect to the first entity. 10 . The non-transitory machine-readable medium of claim 9 , wherein the process further includes predicting, according to a risk indicator model, a risk associated with the first entity based at least in part on the event, wherein the at least one condition is based at least in part on the risk. 11 . The non-transitory machine-readable medium of claim 10 , wherein the process further includes updating the graph database to include third data representing the risk, wherein the risk is stored in the graph database as an additional property of the edge between the first vertex and the third vertex. 12 . The non-transitory machine-readable medium of claim 8 , wherein the process further includes: preprocessing at least one of the first data and/or the second data to produce enriched data, wherein the risk score is assigned based at least in part on the enriched data; and updating the graph database to include the enriched data, wherein the enriched data is stored in the graph database as one or more additional properties of the first vertex and/or the edge between the first vertex and the third vertex. 13 . The non-transitory machine-readable medium of claim 8 , wherein the process further includes: receiving an additional event associated with the first entity and the second entity; updating, according to the entity risk scoring model, the risk score based at least in part on the additional event; and updating the graph database to include third data representing the updated risk score. 14 . The non-transitory machine-readable medium of claim 13 , wherein the process further includes: generating an additional alert based at least in part on the updated risk score; retrieving, from the graph database, information associated with the additional alert; evaluating the information against at least one policy associated with the first entity to determine whether the information satisfies at least one condition in the at least one policy; and causing, in response to determining that the information satisfies the at least one condition, an additional action to occur with respect to the first entity. 15 . A system comprising: a storage; and at least one processor operatively coupled to the storage, the at least one processor configured to execute instructions stored in th