The Event Configuration feature lets you assign visual families to events, providing
a graphic visualization of their relationships with other actions. This process
ensures events are correctly categorized and contain accurate and complete
information.
Event configuration contains the following capabilities:
Visualization: Assign a family to an event. This family
acts as a visual map of relationships and entities, giving you the best graphic
explanation of what happened. The assigned family appears on the Explore Cases screen.
Mapping: Edit or add specific field information to correct errors or fill in missing data.
To access the Event Configuration page, do one of the following:
Select a case from the case queue, go to the alert Events tab, and click settingsConfigure.
In Settings > Ontology > Ontology Status, click
settings
Configure.
Assign a model family
The model family provides a graphic visualization of the relationship between
all the events and actions that take place.
The Visualization page is where you assign the
event, product, or source to a specific family. This visual family appears on the
Explore Cases
page.
You can assign a model family at three levels:
Source Level: The top level. A family assigned here is inherited by
all products and events within that source.
Product Level: The second level. A family assigned here is inherited
by all events within that product.
Event Level: The ground level.
The model family is inherited from the parent. If you assign a family at source level, the product and event inherit the model family from the source level. You can edit the mapped fields at each level to override the
parent settings.
Google Security Operations provides 24 standard model families, and you can
create more as needed. For more information, see Visual families.
To assign a model family, follow these steps:
On the Events Configuration page, click Visualization.
Select the model family that most resembles the relationship between events
and actions that occur in this situation.
In the Confirmation dialog, click Yes to confirm the assignment.
Manage an event's specific field
The Mapping page is where you manage an event's specific field information.
It displays the fields that belong to the assigned model family.
For example, if an event is ingeested and you can see missing or incorrect information, do the following:
On the Alerts Events tab, click settingsConfigure and verify that it's assigned to the correct visual family.
Go to the Mapping page to edit or add specific field information.
You can perform various actions on these fields:
Click
more_vert
More at the end of each row.
Click
edit
Edit FIeld.
In the Map Target Field dialog, enter the name of the event field to extract and click Save.
Editable fields
Double-click the entity to edit the following fields:
:
Field
Description
Extracted Field
Main field name in the raw event field to take information from.
Pro-tip: Use Contains or Starts with to divide data into
separate entities entities. This is useful for multiple
fields like url_1 and url_2 to create multiple entities.
Alternative Field 1
Fallback field in the raw event field to take information from if the
primary field isn't found.
Alternative Field 2
Fallback field in the raw event field to take information from if both
primary and secondary aren't found.
Extraction Function
Extracts or manipulates data from the raw event field. The three options are:
None: the raw data is
presented as is.
Delimiter: Delimiter can be defined with a
character (or up to 64 characters) to divide the data into separate
entities. The default is Delimiter = , (comma)
Regular expression: Uses a regular expression
to divide data into separate entities.
Transformation Function
Transforms information from the data source to be compatible with the database. Available functions
are:
TO_STRING
FROM_UNIXTIME_STRING_OR_LONG
FROM_CUSTOM_DATETIME
EXTRACT_BY_REGEX
TO_IP_ADDRESS
. Once you've chosen the function, add the
appropriate parameter. For example, select FROM_CUSTOM_DATETIME and reformat the date and time to %Y-%m-%DT%H:%M:%S.
You can extract data from one source field and map it to different
target fields. For example, if a source field has both a hostname and an IP
address, you can separate them using regular expressions.
Show results after mapping
To view the values after the mapping process, follow these steps:
Click
more_vert
More>Show Result.
Add enrichment data
Various SIEMs include enrichment data as part of the initial ingestion
process. To add enrichment data, follow these steps:
Choose which enrichment values you want to add to the entity.
Click Save. The next time this entity is ingested into the platform
as part of the alert, click View Details and this enrichment field
will appear under the Raw Enrichment heading in the side
drawer.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThe Event Configuration screen in Google Security Operations allows users to assign visual model families to sources, products, or events, providing a graphical representation of relationships between events and actions.\u003c/p\u003e\n"],["\u003cp\u003eVisual model families can be assigned at the source, product, or event level, with inheritance from the parent level, but field mappings can be edited to override these inherited settings.\u003c/p\u003e\n"],["\u003cp\u003eThe Mapping screen allows for the configuration of individual fields, including editing extracted fields, defining alternative fields, setting extraction functions (None, Delimiter, Regex), and applying transformation functions for data compatibility.\u003c/p\u003e\n"],["\u003cp\u003eUsers can view the results of the mapping process using the "Show Result" option and add enrichment data to entities via the "Add Enrichment" feature.\u003c/p\u003e\n"],["\u003cp\u003e24 pre-built visual model families are provided and more can be added, cloned and edited as needed.\u003c/p\u003e\n"]]],[],null,["Configure mapping and assign visual families \nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc)\n\n\u003cbr /\u003e\n\nSee [Ontology Overview](/chronicle/docs/soar/admin-tasks/ontology/ontology-overview) first. \nThe **Event Configuration** feature lets you assign visual families to events, providing\na graphic visualization of their relationships with other actions. This process\nensures events are correctly categorized and contain accurate and complete\ninformation.\n\nEvent configuration contains the following capabilities:\n\n- **Visualization** : Assign a *family* to an event. This family acts as a visual map of relationships and entities, giving you the best graphic explanation of what happened. The assigned family appears on the **Explore Cases** screen.\n- **Mapping**: Edit or add specific field information to correct errors or fill in missing data.\n\nTo access the **Event Configuration** page, do one of the following:\n\n- Select a case from the case queue, go to the alert **Events** tab, and click settings **Configure**.\n- In **Settings \\\u003e Ontology \\\u003e Ontology Status** , click settings **Configure**.\n\nAssign a model family\n\nThe model family provides a graphic visualization of the relationship between\nall the events and actions that take place.\n\nThe **Visualization** page is where you assign the\nevent, product, or source to a specific family. This visual family appears on the\n[Explore Cases](/chronicle/docs/soar/investigate/working-with-cases/explore-entities-and-alerts-investigation)\npage.\n\nYou can assign a model family at three levels:\n\n- **Source Level**: The top level. A family assigned here is inherited by all products and events within that source.\n- **Product Level**: The second level. A family assigned here is inherited by all events within that product.\n- **Event Level**: The ground level.\n\nThe model family is inherited from the *parent*. If you assign a family at source level, the product and event inherit the model family from the source level. You can edit the mapped fields at each level to override the\nparent settings.\n\nGoogle Security Operations provides 24 standard model families, and you can\ncreate more as needed. For more information, see [Visual families](/chronicle/docs/soar/admin-tasks/ontology/visual-families).\n\nTo assign a model family, follow these steps:\n\n1. On the **Events Configuration** page, click **Visualization**.\n2. Select the model family that most resembles the relationship between events and actions that occur in this situation.\n3. In the **Confirmation** dialog, click **Yes** to confirm the assignment.\n\nManage an event's specific field\n\nThe **Mapping** page is where you manage an event's specific field information.\nIt displays the fields that belong to the assigned model family.\n\nFor example, if an event is ingeested and you can see missing or incorrect information, do the following:\n\n1. On the **Alerts Events** tab, click settings **Configure** and verify that it's assigned to the correct visual family.\n2. Go to the **Mapping** page to edit or add specific field information.\n\n\u003cbr /\u003e\n\nYou can perform various actions on these fields:\n\n1. Click more_vert **More** at the end of each row.\n2. Click edit **Edit FIeld**.\n3. In the **Map Target Field** dialog, enter the name of the event field to extract and click **Save**.\n\nEditable fields\n\nDouble-click the entity to edit the following fields:\n:\n\n| **Field** | **Description** |\n|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Extracted Field | Main field name in the raw event field to take information from. Pro-tip: Use `Contains` or `Starts with` to divide data into separate entities entities. This is useful for multiple fields like `url_1` and `url_2` to create multiple entities. |\n| Alternative Field 1 | Fallback field in the raw event field to take information from if the primary field isn't found. |\n| Alternative Field 2 | Fallback field in the raw event field to take information from if both primary and secondary aren't found. |\n| Extraction Function | Extracts or manipulates data from the raw event field. The three options are: - **None**: the raw data is presented as is. - **Delimiter**: Delimiter can be defined with a character (or up to 64 characters) to divide the data into separate entities. The default is Delimiter = , (comma) - **Regular expression**: Uses a regular expression to divide data into separate entities. |\n| Transformation Function | Transforms information from the data source to be compatible with the database. Available functions are: - `TO_STRING` - `FROM_UNIXTIME_STRING_OR_LONG` - `FROM_CUSTOM_DATETIME` - `EXTRACT_BY_REGEX` - `TO_IP_ADDRESS` . Once you've chosen the function, add the appropriate parameter. For example, select `FROM_CUSTOM_DATETIME` and reformat the date and time to `%Y-%m-%DT%H:%M:%S`. | **Note:**The transformation function applies after the extraction function and if multiple entities are created by the extraction function, it will apply the transformation on each one of them separately. |\n\n\nYou can extract data from one source field and map it to different\ntarget fields. For example, if a source field has both a hostname and an IP\naddress, you can separate them using regular expressions.\n\nShow results after mapping\n\nTo view the values after the mapping process, follow these steps:\n\n- Click more_vert **More** \\\u003e **Show Result**.\n\nAdd enrichment data\n\nVarious SIEMs include enrichment data as part of the initial ingestion\nprocess. To add enrichment data, follow these steps:\n\n1. Select more_vert **More** \\\u003e database_upload **Add Enrichment**.\n2. Choose which enrichment values you want to add to the entity.\n3. Click **Save** . The next time this entity is ingested into the platform as part of the alert, click **View Details** and this enrichment field will appear under the **Raw Enrichment** heading in the side drawer.\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
