Create Entities (Mapping & Modeling)

Quick Summary

Google Security Operations uses an automated system (Ontology) to extract the main objects of interest from the raw alerts to create Entities. Each Entity will be represented by an object that can track its own history for future reference.

Overview

Entities are objects that represent points of interest extracted from alerts (IOCs, artifacts etc.). Entities allow you to automatically track their history, group alerts without human intervention and hunt for malicious activity based on the relationship between the different entities.
Entities can also help security analysts to read cases faster and build playbooks more seamlessly.

Part of configuring the Ontology involves a process called Mapping and Modeling. In this process you select the visual representation of alerts and the Entities that should be extracted from it.
Google Security Operations provides basic Ontology rules for most popular SIEM products out-of-the-box.

The best time to start customizing the Ontology is when you already have a Connector that pulls data into Google Security Operations. When configuring Ontology, the user is first required to choose the visualization type for the data (select the model \ visual family) and then map the fields to support the selected model and extract the entities (mapping).

Example – Ingested Email

Let's map and model new data of an ingested email.

  1. Run the Zero to Hero test case. Refer to Run Use Cases for full details on how to do this.
  2. In the Cases tab, click to open the Mail case from the Cases Queue and select the Events tab.
    3. createentities1
  3. Click on settings on the right of the Alert, to open the Event Configuration screen.
    4. createentities2
  4. On the top left corner, click the word Mail in the hierarchy. That ensures that your configuration will automatically work for every piece of data coming from this product (Email box).
    5. createentities3
  5. Assign the Visual Family that most represents the data   in our example we can skip this step as 'MailRelayOrTAP' has already been selected following the deployment of the Zero to Hero use case.
  6. Switch to Mapping and map the following Entity Fields:
    SourceUserName, DestinationUserName, DestinationURL, EmailSubject.
    This can be done by double clicking each and selecting the raw data field for that entity in the Extracted Field. As you can see in the screenshot below, you can provide alternative fields from which to extract the information from.
    createentities4
  7. In order to see what the original fields are in the email, click on Raw Event Properties in the top right corner.
    createentities5

Extract regular expressions

Google Security Operations does not support regular expression groups. To extract text from the event field using regular expression patterns, use lookahead and lookbehind in the extraction function logic.

In the following example, the event field displays a large chunk of text:

Suspicious activity on A16_WWJ - Potential Account Takeover (33120)

To extract only the text Suspicious activity on A16_WWJ, do the following:

  1. Enter the following regular expression in the Extraction function value field: Suspicious activity on A16_WWJ(?=.*)
  2. Select the To_String option in the Transformation function field.

To extract only the text after Suspicious activity on A16_WWJ, do the following:

  1. Enter the following regular expression in the Extraction function value field: (?<=Suspicious activity on A16_WWJ).*
  2. Select the To_String option in the Transformation function field.