Add or edit entity properties

Supported in:

You can add or edit entity enrichment properties from various pages as part of your case investigation. Add or edit entity properties allow you to work more efficiently during a case investigation. You can add 100 entity properties to a single entity.

You can add or edit an entity enrichment in the following pages:  

  • Investigation: Drill down to the required case and then click Explore. The Investigation page opens.

  • Entity Explorer: Drill down to the required case and select the required entity in the Entity Highlights widget. The Entity Explorer page opens.

  • Cases: Drill down to the required case and select the required entity in the Entities Highlights widget and click View more. A side drawer opens with the entity properties.

  • Cases: Drill down to the required case and select the Entities Graph widget and click the entity icon. A side drawer opens with the entity properties.

Edit Entity Property 

For the purposes of this example, there is a case where there is a potential malware threat. The file attached to the case was marked as suspicious with low confidence. After running a TI enrichment block and comparing it to previous cases with similar results, you are sure this file is malicious. You want to update the confidence level of the suspicious hash from Low to High.

You can edit the hash's confidence_level property directly from the Investigation page. 

To edit an entity property:

  1. In the Cases page, drill down to the Virus Found or security risk found case and then click Explore in the top right corner. The Investigation page opens.
  2. entityproperties11
  3. Click the File Hash entity icon in the Investigation page.
  4. entityproperties2
  5. Hold the pointer over the confidence_level value in the Entity Property side drawer. Three dots appear.
  6. entityproperties3
  7. Click the three dots and then click View or edit property from the menu.
  8. entityproperties4
  9. Edit the Value in the dialog box. Change the value of the Confidence_level from Low to High to highlight the potential risk of the hash entity. You have the option to select the type of format used to display the data in the side drawer.
    entityproperties5
  10. Then, click Save. The entity key and value for confidence is updated in the data and reflected in the entity property side drawer below.
entityproperties6
Note: Entity properties such as isAttacker and isVulnerable cannot be changed to false after being set to true.


Add Entity Property

As part of the investigation, you may want to include other entity keys to enrich your case investigation. You've decided that you want to identify what kind of malware is being used to better understand the threat. The following example shows how to create a new entity property called Malware_family. 

To add an entity property: 

  1. In the Cases queue, select Virus Found or Security Risk Found case and then click Explore in the top right corner. The Investigation page displays.
  2. Click add Add located at the top of the Entity Property side drawer in the Investigation page.
  3. entityproperties7
  4. Enter Malware_family in for Key and Trojan.Generic for its Value.
  5. entityproperties8
  6. Then, click Save. The new entity property key Malware_family and its value Trojan.Generic provides you with another layer of understanding during your case investigation.  
entityproperties9