Manage properties metadata

The properties metadata enable you to rewrite how event fields will be presented and under what category they appear such as case overview – event fields and entity screen – enrichment fields. So for example, I can create a properties metadata in the platform so that all the events or enrichments fields that start with the VT_ prefix will be grouped under the VirusTotal category.

Once you have created the metadata property, you can validate it following the procedure below. 

To add properties metadata:

1. Navigate to Settings > Data Configuration > Properties Metadata.
   
2. Click add on the top right of the screen.
3. Add in the relevant information as follows:
   • System Name: this is the name of the raw field
   • Display Name: how you want it to display on the screen
   • Group Name: name of group/category it will appear under
   • Prefix: Used for grouping multiple fields together. Add in a prefix to group them together
   • Trim Prefix: so that the prefix does not display as part of the field name.
     Example – "VTdepartment" will be presented as "department" in case you defined "VT" prefix and trimmed it
   • Is displayed: Select this checkbox to display the field on the screen
   • Is highlighted: Select this checkbox to display the field in the Highlighted section of the screen.
4. Click Add.

To validate the properties metadata (without adding a Prefix):

1. Add properties metadata for a specific field without a prefix such as File Name as follows:
2. Click Add.
3. Navigate to the Cases screen > Alerts Event Tab > View More.
4. Click View More. The Category File appears in the side drawer.
   

To validate the properties metadata (with a Prefix):

1. Add properties metadata for multiple fields including a VT prefix as follows:
   
2. Click Save.
3. Navigate to the Cases screen.
4. In either the Cases Overview tab or the Alerts Overview tab, navigate to the Entities Highlights widget and click on an Entity. You will be directed to the Entity Details.