Create Entities (Mapping & Modeling)
Quick Summary
Google Security Operations uses an automated system (Ontology) to extract the main objects of interest from the raw alerts to create entities. Each entity will be represented by an object that can track its own history for future reference.
Overview
Entities are objects that represent points of interest extracted from alerts
(IOCs, artifacts etc.). Entities allow you to automatically track their
history, group alerts without human intervention and hunt for malicious
activity based on the relationship between the different entities.
Entities
can also help security analysts to read cases faster and build playbooks more
seamlessly.
Part of configuring the Ontology involves a process called Mapping and
Modeling. In this process you select the visual representation of alerts and
the Entities that should be extracted from it.
Google Security Operations provides
basic Ontology rules for most popular SIEM products out-of-the-box.
The best time to start customizing the Ontology is when you already have a Connector that pulls data into Google Security Operations. When configuring Ontology, the user is first required to choose the visualization type for the data (select the model \ visual family) and then map the fields to support the selected model and extract the entities (mapping).
Supported entities
The following entities are supported:
- Address
- Application
- Cluster
- Container
- Credit Card
- CVE
- Database
- Deployment
- Destination URL
- Domain
- Email Subject
- File Hash
- File Name
- Generic Entity
- Host Name
- IP Set
- MAC Address
- Phone Number
- POD
- Process
- Service
- Threat Actor
- Threat Campaign
- Threat Signature
- USB
- User Name
Example – Ingested Email
Let's map and model new data of an ingested email.
- Run the Zero to Hero test case. Refer to Run Use Cases for full details on how to do this.
- In the Cases tab, click to open the Mail case from the Cases Queue and select the Events tab.
- Click on settings on the right of the Alert, to open the Event Configuration screen.
-
On the top left corner, click the word Mail in the hierarchy. That
ensures that your configuration will automatically work for every piece of
data coming from this product (Email box).
- Assign the Visual Family that most represents the data — in our example we can skip this step as 'MailRelayOrTAP' has already been selected following the deployment of the Zero to Hero use case.
-
Switch to Mapping and map the following Entity Fields:
SourceUserName, DestinationUserName, DestinationURL, EmailSubject.
This can be done by double clicking each and selecting the raw data field for that entity in the Extracted Field. As you can see in the screenshot below, you can provide alternative fields from which to extract the information from. - In order to see what the original fields are in the email, click on Raw Event Properties in the top right corner.
Extract regular expressions
Google Security Operations does not support regular expression groups. To extract text from the event field using regular expression patterns, use lookahead and lookbehind in the extraction function logic.
In the following example, the event field displays a large chunk of text:Suspicious activity on A16_WWJ - Potential Account Takeover (33120)
To extract only the text Suspicious activity on A16_WWJ
, do the
following:
- Enter the following regular expression in the Extraction function
value field:
Suspicious activity on A16_WWJ(?=.*)
- Select the To_String option in the Transformation function field.
To extract only the text after Suspicious activity on A16_WWJ
,
do the following:
- Enter the following regular expression in the Extraction function
value field:
(?<=Suspicious activity on A16_WWJ).*
- Select the To_String option in the Transformation function field.