Google Security Operations ontology provides a formal specification that provides a
shareable and reusable knowledgeable representation of alerts and events that
will be consumed. The ontology allows Google SecOps to build
entities out of events and define relationships between them. This enables the
user to see the full "picture" and gives them the ability to explore potential
threats via the Explore Cases
screen. Once entities have been defined using the ontology, you can run actions on them based on their role in
the attack or event.
After you have established an initial data connection, you will need to
complete the following procedures to ensure that the data is ingested into the
Google SecOps data model. You will also need to map and model new events
and alerts according to your requirements and as your connectors pick up new
events.
Set up model families:
Step One: Define family in
Settings > Ontology >
Visual Families.
Step One: Using the Case
Management and/or Explore screen, identify missing or incorrect field
information.
Step Two: Check if this can be
solved by attaching a new Visual Family.
Step Three: Otherwise, edit and
configure the rules that make up both the Family and the general System fields
in the
Event Configuration > Mapping screen.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-06 UTC."],[[["Google Security Operations ontology provides a framework for representing and sharing knowledge about alerts and events, allowing for the creation of entities and relationships."],["The ontology allows users to see a comprehensive view of potential threats and run actions on them based on their role in the attack or event via the Explore Cases screen."],["Setting up model families is a two-step process involving defining a family in Settings \u003e Ontology \u003e Visual Families and then assigning it to the Event in the Event Configuration screen."],["Mapping data fields involves identifying missing or incorrect field information, attempting to attach a new Visual Family, and, if needed, editing the rules that make up the Family and System fields in the Event Configuration \u003e Mapping screen."]]],[]]
