Manage properties metadata

Supported in:

The properties metadata enable you to rewrite how event fields will be presented and under what category they appear such as case overview – event fields and entity screen – enrichment fields. So for example, I can create a properties metadata in the platform so that all the events or enrichments fields that start with the VT_ prefix will be grouped under the VirusTotal category.

Once you have created the metadata property, you can validate it following the procedure below. 

To add properties metadata:

  1. Navigate to Settings > Data Configuration > Properties Metadata.
  2. Click on the top right of the screen.
  3. Add in the relevant information as follows:
    • System Name: this is the name of the raw field
    • Display Name: how you want it to display on the screen
    • Group Name: name of group/category it will appear under
    • Prefix: Used for grouping multiple fields together. Add in a prefix to group them together
    • Trim Prefix: so that the prefix does not display as part of the field name.
      Example – "VT_department" will be presented as "department" in case you defined "VT_" prefix and trimmed it
    • Is displayed: Select this checkbox to display the field on the screen
    • Is highlighted: Select this checkbox to display the field in the Highlighted section of the screen.
  4. Click Add.

To validate the properties metadata (without adding a Prefix):

  1. Add properties metadata for a specific field without a prefix such as File Name as follows:
  2. Click Add.
  3. Navigate to the Cases screen > Alerts Event Tab > View More.
  4. Click View More. The Category File appears in the side drawer.

To validate the properties metadata (with a Prefix):

  1. Add properties metadata for multiple fields including a VT prefix as follows:
  2. Click Save.
  3. Navigate to the Cases screen.
  4. In either the Cases Overview tab or the Alerts Overview tab, navigate to the Entities Highlights widget and click on an Entity. You will be directed to the Entity Details.

Use cases

The following use cases demonstrate the system's flexibility to manage and display events within cases, including:

Default appearance of the events in cases

In Google SecOps, each case is made up of a subset of alerts. Most alerts also provide access to events, and each event includes specific fields that describe what happened in the event itself. To test this, create a new case within the Google SecOps system, as follows:
  1. Select Cases > add Add > Simulate Cases.
  2. Create a new Malware Detected case in your preferred environment. You don't need to create a new environment; you can use the Default Environment if there aren't any others.
  3. In the description of the case, select an alert VIRUS FOUND… and then select the Events tab. In the list of events a single event VIRUS FOUND… appears.
  4. Click the VIRUS FOUND… event and explore the list of fields, appearing on the right side of the screen.
  5. Scroll to find the fields related to the event date.

Modify the appearance of the events in cases

You can modify the appearance of events. You can also rename and group fields. To modify the appearance of an event, you need to change the Properties Metadata. This example describes the steps to reconfigure the following fields to appear in Spanish:
  1. Open another tab in your browser and select SOAR Settings > Data Configuration > Properties Metadata.
  2. Using this interface, reconfigure the following fields to appear in Spanish:
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
  3. Click add Add and redefine the field values according to the following table.
  4. Process similarly all other fields and set the recommended values as listed in the table:
    5. System name Display name Group name Is displayed Is highlighted
    date_hour Hora Fecha del evento yes yes
    date_mday Día del mes Fecha del evento yes no
    date_minute Minuto Fecha del evento yes yes
    date_month Mes Fecha del evento yes no
    date_second Segunda Fecha del evento no no
    date_wday Día de la semana Fecha del evento no no
    date_year Año Fecha del evento no no
    date_zone Zona horaria Fecha del evento yes no
  5. Click the following radio buttons:
    • Is displayed: controls whether the field appears in the event description. If you don't select this button, the field won't appear.
    • Is highlighted: moves this field to a dedicated group of highlighted fields.
  6. Enter the word date_ in the Search filter and refresh the screen.
  7. In the previous tab, where the open VIRUS_FOUND event is still open, refresh the browser tab (F5 or Command+R).
  8. Select the same event and scroll to Highlighted Fields; find Hour and Minute of the event in the list of fields; these fields are now highlighted.
  9. Scroll further down and find the Fecha Del Evento group; all the fields that we renamed and selected to appear are displayed.



Need more help? Get answers from Community members and Google SecOps professionals.