Mike's example above is a good one for risk score based on country. I did want to add a few more thoughts about geo ip as I've noticed there are a few different things going on in the rule as well as provide some broader resources around the original question on dynamic risk scores and finally throw a few more ideas into a sample rule below that might ease writing the rule.

This blog discussed the geo ip fields and how they can be used. https://chronicle.security/blog/posts/Using-Automated-GeoIP-Enrichment-in-Chronicle/ The one comment I want to make here is to be mindful of the fields within the <NOUN>.ip_geo_artifact section versus the <NOUN>.location section. The ip_geo_artifact section are enrichments that Google provides during the ingest and enrichment process. The geo_ip may not be as precise as the location section due to privacy concerns so we have not dialed in the geo_ip to the highest level of precision. Probably not a big deal in most cases but worth a mention. Also if your security solution feeding Chronicle has geo location built into it, we will populate the location section of the log with that information. So, if you have both data from the security control and from us, you can choose which one you want to use, that's really up to you.

Rule outcome examples including using risk score in outcome and arrays in condition https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Rule-Outcomes/ba-p/72485...

Video on risk score: https://www.googlecloudcommunity.com/gc/Chronicle-Best-Practices/Getting-to-Know-Chronicle-Outcomes-...

The additional ideas that I wanted to throw out there are based some of the things you asked as well as some of the concepts introduced above. I added comments into the sample rule below, but here are the key points.

• strings.coalesce can be used to choose one field and then another (or another) if the first one doesn't have data in it. So, for example if the location isn't populated from the endpoint, the system would use geo_ip instead. One word of caution there is make sure you know the country outputs could be different in geo_ip v location. In my instance, I have United States in the ip_geo but the location for one of my log sources is US, so I put both into my reference list to cover my bases.
• For the risk score, we can consolidate our countries of similar concern into a list and use the IN statement with a reference to assign scores using that method. 

rule Geo_IP_Login_Risk_Score_Example {
meta :     
author = "Google Cloud Security"     
description = "GeoIP Example with Coalesce function and Risk Score Reference Lists"     
severity = "Medium"
 
events :    
 $login.metadata.event_type = "USER_LOGIN"     
 $login.principal.ip_geo_artifact.ip = $ip     
 $login.principal.user.user_display_name = $user     
 //strings.coalsce returns the first non-null field value to the placeholder variable
 strings.coalesce($login.principal.location.country_or_region, $login.principal.ip_geo_artifact.location.country_or_region) = $country

match :     
$user over 30m

outcome :
//use the placeholder variable from the events section to contain the countries from the events  
$country_array = array_distinct ($country)
//risk score (and other outcome variables) can use refernce lists so group countries into reference lists to streamline risk scoring like this
$risk_score = max(if($country in %countries_high_risk, 60) + if($country in %countries_med_risk, 40))

condition:
    $login
}