Ingest data using the entity data model
Entities provide context to network events which typically do not surface all the information known about the systems they connect to. For example, while a PROCESS_LAUNCH event might be linked to a user (firstname.lastname@example.org) who launched the shady.exe process, the PROCESS_LAUNCH event won't indicate that the user (email@example.com) was a recently-terminated employee on a highly-sensitive project. This context would normally only be provided by further research conducted by a security analyst.
The entity data model enables you to ingest these types of entity relationships, providing a richer and more focused IOC threat intelligence data. It also introduces and expands the Permission, Role, Vulnerability, and Resource messages to capture new context available from IAM, vulnerability management systems, and data protection systems.
For details on the entity data model syntax, see the Entity Data Model Reference documentation.
- Azure AD Organizational Context
- Duo User ContextDuo User Context
- Google Cloud IAM Analysis
- GCP IAM Context
- Microsoft Defender for Endpoint
- Nucleus Unified Vulnerability Management
- Nucleus Asset Metadata
- Okta User Context
- Rapid7 Insight
- SailPoint IAM
- ServiceNow CMDB
- Tanium Asset
- Microsoft AD
- Workspace ChromeOS Devices
- Workspace Mobile Devices
- Workspace Privileges
- Workspace Users
Use the Ingestion API to ingest entity data into your Chronicle account directly.
See the Ingestion API documentation.