Google Security Operations uses an automated system (Ontology) to extract the main objects
of interest from the raw alerts to create entities. Each entity will be
represented by an object that can track its own history for future reference.
Overview
Entities are objects that represent points of interest extracted from alerts
(IOCs, artifacts etc.). Entities allow you to automatically track their
history, group alerts without human intervention and hunt for malicious
activity based on the relationship between the different entities. Entities
can also help security analysts to read cases faster and build playbooks more
seamlessly.
Part of configuring the Ontology involves a process called Mapping and
Modeling. In this process you select the visual representation of alerts and
the Entities that should be extracted from it. Google SecOps provides
basic Ontology rules for most popular SIEM products out-of-the-box.
The best time to start customizing the Ontology is when you already have a
Connector that pulls data into Google SecOps. When configuring Ontology, the
user is first required to choose the visualization type for the data (select
the model \ visual family) and then map the fields to support the selected
model and extract the entities (mapping).
Supported entities
The following entities are supported:
Address
Application
Cluster
Container
Credit Card
CVE
Database
Deployment
Destination URL
Domain
Email Subject
File Hash
File Name
Generic Entity
Host Name
IP Set
MAC Address
Phone Number
POD
Process
Service
Threat Actor
Threat Campaign
Threat Signature
USB
User Name
Example – Ingested Email
Let's map and model new data of an ingested email.
Run the Zero to Hero test case. Refer to
Run Use Cases
for full details on how to do this.
In the Cases tab, click to open the Mail case from the Cases Queue and
select the Events tab.
Click on
settings
on the right of the Alert, to open the Event Configuration screen.
On the top left corner, click the word Mail in the hierarchy. That
ensures that your configuration will automatically work for every piece of
data coming from this product (Email box).
Assign the Visual Family that most represents the data
— in our example we can skip this step as 'MailRelayOrTAP'
has already been selected following the deployment of the Zero to Hero use
case.
Switch to Mapping and map the following Entity Fields: SourceUserName,
DestinationUserName, DestinationURL, EmailSubject. This can be done by
double clicking each and selecting the raw data field for that entity in the
Extracted Field. As you can see in the screenshot below, you can provide
alternative fields from which to extract the information from.
In order to see what the original fields are in the email, click on Raw
Event Properties in the top right corner.
Extract regular expressions
Google SecOps does not support regular expression groups. To extract
text from the event field using regular expression patterns, use lookahead
and lookbehind in the extraction function logic.
In the following example, the event field displays a large chunk of text:
Suspicious activity on A16_WWJ - Potential Account Takeover (33120)
To extract only the text Suspicious activity on A16_WWJ, do the
following:
Enter the following regular expression in the Extraction function
value field:
Suspicious activity on A16_WWJ(?=.*)
Select the To_String option in the Transformation function field.
To extract only the text after Suspicious activity on A16_WWJ,
do the following:
Enter the following regular expression in the Extraction function
value field:
(?<=Suspicious activity on A16_WWJ).*
Select the To_String option in the Transformation function
field.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle Security Operations utilizes an automated system called Ontology to identify and extract key objects, or entities, from raw alerts, allowing for the tracking of their history.\u003c/p\u003e\n"],["\u003cp\u003eEntities, which can be IOCs or artifacts, represent important points of interest and enable automated tracking, grouping of alerts, and detection of malicious activity based on entity relationships, as well as quicker case analysis and playbook building.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring the Ontology involves Mapping and Modeling, where users define the visual representation of alerts and select which entities should be extracted, with Google SecOps offering pre-built rules for common SIEM products.\u003c/p\u003e\n"],["\u003cp\u003eThe process of customizing Ontology begins with selecting a model or visual family, then mapping fields to the selected model to enable the extraction of the chosen entities.\u003c/p\u003e\n"],["\u003cp\u003eWhen extracting text using regular expressions in Google SecOps, use lookahead and lookbehind functions, since Google SecOps does not support regular expression groups.\u003c/p\u003e\n"]]],[],null,["# Create Entities (Mapping & Modeling)\n\nCreate Entities (Mapping \\& Modeling)\n=====================================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nQuick Summary\n-------------\n\n\nGoogle Security Operations uses an automated system (Ontology) to extract the main objects\nof interest from the raw alerts to create entities. Each entity will be\nrepresented by an object that can track its own history for future reference.\n\nOverview\n--------\n\n\nEntities are objects that represent points of interest extracted from alerts\n(IOCs, artifacts etc.). Entities allow you to automatically track their\nhistory, group alerts without human intervention and hunt for malicious\nactivity based on the relationship between the different entities. \nEntities\ncan also help security analysts to read cases faster and build playbooks more\nseamlessly.\n\n\nPart of configuring the Ontology involves a process called Mapping and\nModeling. In this process you select the visual representation of alerts and\nthe Entities that should be extracted from it. \nGoogle SecOps provides\nbasic Ontology rules for most popular SIEM products out-of-the-box.\n\n\nThe best time to start customizing the Ontology is when you already have a\nConnector that pulls data into Google SecOps. When configuring Ontology, the\nuser is first required to choose the visualization type for the data (select\nthe model \\\\ visual family) and then map the fields to support the selected\nmodel and extract the entities (mapping).\n\nSupported entities\n------------------\n\n\nThe following entities are supported:\n\n- Address\n- Application\n- Cluster\n- Container\n- Credit Card\n- CVE\n- Database\n- Deployment\n- Destination URL\n- Domain\n- Email Subject\n- File Hash\n- File Name\n- Generic Entity\n- Host Name\n- IP Set\n- MAC Address\n- Phone Number\n- POD\n- Process\n- Service\n- Threat Actor\n- Threat Campaign\n- Threat Signature\n- USB\n- User Name\n\n\u003cbr /\u003e\n\nExample -- Ingested Email\n-------------------------\n\n\nLet's map and model new data of an ingested email.\n\n1. Run the Zero to Hero test case. Refer to [Run Use Cases](/chronicle/docs/soar/marketplace/run-use-cases) for full details on how to do this.\n2. In the Cases tab, click to open the Mail case from the Cases Queue and select the Events tab.\n[](/static/chronicle/images/soar/createentities1.png)\n3. Click on settings on the right of the Alert, to open the Event Configuration screen.\n[](/static/chronicle/images/soar/createentities2.png)\n4. On the top left corner, click the word **Mail** in the hierarchy. That ensures that your configuration will automatically work for every piece of data coming from this product (Email box). \n[](/static/chronicle/images/soar/createentities3.png)\n5. Assign the Visual Family that most represents the data --- in our example we can skip this step as 'MailRelayOrTAP' has already been selected following the deployment of the Zero to Hero use case.\n6. Switch to Mapping and map the following Entity Fields: \n SourceUserName, DestinationUserName, DestinationURL, EmailSubject. \n This can be done by double clicking each and selecting the raw data field for that entity in the Extracted Field. As you can see in the screenshot below, you can provide alternative fields from which to extract the information from. [](/static/chronicle/images/soar/createentities4.png)\n7. In order to see what the original fields are in the email, click on Raw Event Properties in the top right corner. [](/static/chronicle/images/soar/createentities5.png)\n\nExtract regular expressions\n---------------------------\n\nGoogle SecOps does not support regular expression groups. To extract\ntext from the event field using regular expression patterns, use *lookahead*\nand *lookbehind* in the extraction function logic.\nIn the following example, the event field displays a large chunk of text: `Suspicious activity on A16_WWJ - Potential Account Takeover (33120)`\n\nTo extract only the text `Suspicious activity on A16_WWJ`, do the\nfollowing:\n\n1. Enter the following regular expression in the **Extraction function** value field: `Suspicious activity on A16_WWJ(?=.*)`\n2. Select the **To_String** option in the **Transformation function** field.\n\nTo extract only the text after `Suspicious activity on A16_WWJ`,\ndo the following:\n\n1. Enter the following regular expression in the **Extraction function** value field: `(?\u003c=Suspicious activity on A16_WWJ).*`\n2. Select the **To_String** option in the **Transformation function** field.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
