Entity Selection

Google Security Operations ingests alerts from various sources. Each alert is ingested with its underlying base security events. Those security events are analyzed and their indicators — including IP addresses, usernames, and domains — are extracted into objects. Those objects are called entities. Each entity contains its own properties.

View the properties of an entity

1. From the Cases page, select a case. In the default case view, the entities are displayed under Entity Highlights (in both the Case Overview tab and the Alerts tab.)
2. Click View Details to view the properties of an entity. A side drawer opens up to display all of the properties for that entity for the alert.
3. Click an entity name to open the Entity Explorer in a new tab. The Entity Explorer displays all of the cases that the entity is involved with.

Entity Selection action

When an alert is ingested, a playbook is initiated and makes the appropriate decisions on how to proceed with the alert. Google Security Operations performs these actions automatically or semi-automatically based on the playbook triggers upon any alert ingestion.

Each action in the playbook has a group of entities it runs on. The Entity Selection action creates additional groups. By clicking on an action, you can choose a group of entities that the action recognizes and works on. For example, a group of entities can be chosen that only recognizes and works on internal entities.

However, you may want to create a different group that recognizes and works on different sets of entities. Using the Entity Selection action, you can create a new entity group to run actions upon, based on entity properties.

To create a new group:

1. In the Playbooks page, click Open Step Selection.
2. In the Step Selection tab, select Actions and then select Flow.
3. Drag Entity Selection into the second box labeled Drag a step over here.
4. Double-click the middle box that is now labeled Entity Selection to create a new group of entities that can be used in other actions.
5. Add the conditions needed to select the new group of entities. For example, if you want to select all the IP Address entities that were enriched by VirusTotal v3 and found malicious by more than 10 engines.

   
   

6. You can now choose the new group in all the actions that follow the Entity Selection action.