Conduct a search for entity context data

Supported in:

The Entity Context in Search feature enhances security investigations and incident response by letting users search for and view context events related to entities within their Google Security Operations account. Unlike searches limited to the standard Unified Data Model (UDM) event schema, this feature addresses the need to search beyond Unified Data Model (UDM) event data, incorporating UDM entity context data and providing deeper insights into security incidents.

Key benefits

  • Security analysts and threat hunters can query contextual information about entities.
  • Help root cause analysis, threat hunting, and forensics.
  • Users can run statistical searches on entity context to understand telemetry patterns and impacted entities through telemetry analysis.

You can use entity context to gain insights from your search results in the following ways:

  • Search using UDM entity field names: Build your search queries using UDM entity field names. For example, to find all context events associated with a specific hostname, create a search using graph.entity.hostname.
  • Access the Overview tab: The Overview tab provides a high-level summary of entities found in your search, leveraging information from the query that a user enters to display information. The Overview page displays information for entity types, such as DOMAIN_NAME, IP_ADDRESS, ASSET, USER, FILE, GROUP, and RESOURCE.
  • Use the Entity tab: The Entity tab lists all entity context events received, including subcomponents like Trend Over Time, Snapshot Filter, Aggregations, and Events. The entities are categorized into timed and timeless entities, displayed in separate tabs.
  • View aggregates: Aggregates are displayed for fields, similar to the UDM event search. The aggregations are further categorized into context types: Entity Context, Derived Context, and Global Context.

Use case: Investigate a compromised user account

Consider the following scenario: a security analyst needs to investigate a potentially compromised user account (email@company.com). Follow these steps to investigate:

  1. Identify the compromised user: An alert flags user email@company.com has been identified as a suspicious account.

  2. Gather Entity Context information: Get contextual data about the user to understand the scope and impact.

  3. Run queries: Use Entity Context in Search to run the following queries:

    • graph.entity.email = "email@company.com" to retrieve information about the user.
    • graph.entity.email = "email@company.com" AND graph.metadata.product_name = "Google Cloud Compute Context" to check the product name and other metadata.

  4. Analyze the Overview Tab: The Overview tab displays the entity summary for the user, including:

    • Check First Seen and Last Seen timestamps.
    • Review Hostnames, IP addresses, and MAC addresses (if available).
    • Inspect hardware model, OS platform, and platform version.

  5. Examine the Events Tab: View associated events for this user, including login attempts and anomalies.

  6. Review Aggregates: Identify patterns and anomalies in entity context data, distributed into Entity Context, Derived Context, and Global Context.

To search for entity context data, use UDM entity field names in your search queries:

  • graph.entity.hostname
  • graph.entity.ip = "8.8.8.8" and graph.metadata.entity_type = "ASSET"

The search results display key information about the entities, including:

  • Entity metadata
  • Metrics (First Seen, Last Seen)
  • Relations (Entity, Direction, Entity_label, Entity_type, Relationship)
  • Depending on the entity type, specific fields, such as Principal_ip for assets, Mail_id for users, File_name for hashes/files, and Domain_name and IP_address for domains.

Here are additional examples of using the Entity Context in Search feature in Google SecOps, based on available sources:

Basic UDM entity field searches

  • graph.entity.hostname
  • graph.entity.ip = "8.8.8.8" and graph.metadata.entity_type = "ASSET"
  • principal.ip
  • principal.hostname="baz"
  • principal.ip="1.2.3.4"
  • network.dns.questions.name="youtube.com"

Pivoting from entity fields

Use entity fields to pivot and explore related data. Examples of pivot fields include:

  • network.email.to
  • network.email.cc
  • principal.process.file.fileMetadata.pe.importHash
  • principal.process.file.sha256
  • network.dns.questions.name

Understand dynamic fields

The sources reference dynamic structured fields with prefixes, such as additional. You can search these fields within UDM events.

Access control considerations

A limit of 50 events is imposed on global context data and removes references to access controls.

Limitations

  • Volume Limits: 1M limit on cumulative results for both timed and timeless data.
  • Global Context Data: There's a limit of 50 rows for sensitive global context data such as UPPERCASE_VT_PROTECTED, MANDIANT_ACTIVE_BREACH_IOC, MANDIANT_FUSION_IOC, and VIRUS_TOTAL_CONNECTIONS, displayed for users with global data access scope.
  • Data Consistency: Last Seen data could lag up to 2 hours. Related entities might show a only a subset of the entities listed in an event.

  • Unsupported features:

    • Reverse lookups on entity fields, grouped field searches, Low Prevalence, and HeatMap.
    • You can't Join between Entity context and Event queries.

Need more help? Get answers from Community members and Google SecOps professionals.