Visual Families

Supported in:

Visual families specify the relationship between the entities and protagonists from the third-party applications. You can configure the family's field and relationships.

The family is attached to a specific event / product in the Event Configuration > Visualization screen. The family is then displayed in the Explore Cases screen for each event, product or source so that the analyst can see who did what and when.

visualfamilies1

To clone or create a visual family:

  1. Navigate to Settings > Ontology > Visual Families.
  2. Either select one of the existing visual families and click the Duplicate icon on the top right. (Or select and create a new family from scratch).
    visualfamilies2
  3. In the Family Rules screen that opens, edit the relevant information by either selecting a row and clicking Or click to add a new family rule.
  4. Enter the relevant information. Primary to Fourth Source of where to take the Information and the Primary to Fourth Destination in Google Security Operations to send it to. Relation Type: Type (action) or Linked (connection). An action is when one entity does something to another entity (user sends an email). A connection simply means the two entities are related (user and the machine's host name). In the Explore screen, the Type (action) is denoted by an arrow and Linked (connection) is denoted by a dotted line.
    visualfamilies3
  5. Click Save.
  6. Make sure to click the Save icon the top right of the screen before exiting this screen!