Google Security Operations uses an automated system (ontology) to extract the main objects
of interest from the raw alerts to create entities. Each entity is
represented by an object that can track its own history for future reference.
Entities Overview
Entities are objects that represent points of interest extracted from alerts, such as Indicators of Compromise (IoCs) and artifacts. They help security analysts by:
Automatically tracking history.
Grouping alerts without human intervention.
Hunting for malicious activity based on relationships between entities.
Making cases easier to read and enabling seamless playbook creation.
To configure the ontology, you'll need to map and model your data. This
involves selecting a visual representation for alerts and defining which
entities should be extracted. Google SecOps provides pre-configured
ontology rules for most popular SIEM products.
The best time to customize the ontology is after you have a connector pulling
data into Google SecOps. The process involves two main steps:
Modeling: Choose the visual representation (model/visual family) for your data.
Mapping: Map the fields to support the selected model and extract entities.
Supported entities
The following entities are supported:
Address
Application
Cluster
Container
Credit Card
CVE
Database
Deployment
Destination URL
Domain
Email Subject
File Hash
Filename
Generic Entity
Hostname
IP Set
MAC Address
Phone Number
POD
Process
Service
Threat Actor
Threat Campaign
Threat Signature
USB
User Name
Use case: Map and model new data of ingested email
This use case shows how to map and model new data of an ingested email:
Go to Marketplace > Use Case.
Run the Zero to Hero test case. Refer to
Run Use Cases
for full details on how to do this.
In the Cases tab, select the Mail case from the Cases Queue and
select the Events tab.
To open the Event Configuration screen, click
settings
Event Configuration next to the alert.
In the hierarchy, click Mail. This
ensures that your configuration will automatically work for every piece of
data coming from this product (Email box).
Assign the Visual Family that most represents the data
— in our example we can skip this step as MailRelayOrTAP
has already been selected following the deployment of the Zero to Hero use
case.
Switch to Mapping and map the following entity fields; double-click each entity and select the raw data field for that entity in the extracted field. You can provide
alternative fields from which to extract the information:
SourceUserName
DestinationUserName
DestinationURL
EmailSubject
To see what the original fields are in the email, click Raw
Event Properties in the top right corner.
Extract regular expressions
Google SecOps doesn't support regular expression groups. To extract
text from the event field using regular expression patterns, use lookahead
and lookbehind in the extraction function logic.
In the following example, the event field displays a large chunk of text: Suspicious activity on A16_WWJ - Potential Account Takeover (33120)
To extract only the text Suspicious activity on A16_WWJ, do the
following:
Enter the following regular expression in the Extraction function
value field: Suspicious activity on A16_WWJ(?=.*)
Select the To_String option in the Transformation function field.
To extract only the text after Suspicious activity on A16_WWJ,
do the following:
Enter the following regular expression in the Extraction function
value field: (?<=Suspicious activity on A16_WWJ).*
Select the To_String option in the Transformation function
field.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eGoogle Security Operations utilizes an automated system called Ontology to identify and extract key objects, or entities, from raw alerts, allowing for the tracking of their history.\u003c/p\u003e\n"],["\u003cp\u003eEntities, which can be IOCs or artifacts, represent important points of interest and enable automated tracking, grouping of alerts, and detection of malicious activity based on entity relationships, as well as quicker case analysis and playbook building.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring the Ontology involves Mapping and Modeling, where users define the visual representation of alerts and select which entities should be extracted, with Google SecOps offering pre-built rules for common SIEM products.\u003c/p\u003e\n"],["\u003cp\u003eThe process of customizing Ontology begins with selecting a model or visual family, then mapping fields to the selected model to enable the extraction of the chosen entities.\u003c/p\u003e\n"],["\u003cp\u003eWhen extracting text using regular expressions in Google SecOps, use lookahead and lookbehind functions, since Google SecOps does not support regular expression groups.\u003c/p\u003e\n"]]],[],null,["Create entities (mapping and modeling) \nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nGoogle Security Operations uses an automated system (ontology) to extract the main objects\nof interest from the raw alerts to create entities. Each entity is\nrepresented by an object that can track its own history for future reference.\n\nEntities Overview\n\n\n**Entities** are objects that represent points of interest extracted from alerts, such as Indicators of Compromise (IoCs) and artifacts. They help security analysts by:\n\n- Automatically tracking history.\n- Grouping alerts without human intervention.\n- Hunting for malicious activity based on relationships between entities.\n- Making cases easier to read and enabling seamless playbook creation.\n\n\nTo configure the ontology, you'll need to map and model your data. This\ninvolves selecting a visual representation for alerts and defining which\nentities should be extracted. Google SecOps provides pre-configured\nontology rules for most popular SIEM products.\n\n\nThe best time to customize the ontology is after you have a connector pulling\ndata into Google SecOps. The process involves two main steps:\n\n1. **Modeling**: Choose the visual representation (model/visual family) for your data.\n2. **Mapping**: Map the fields to support the selected model and extract entities.\n\nSupported entities\n\n\nThe following entities are supported:\n\n- Address\n- Application\n- Cluster\n- Container\n- Credit Card\n- CVE\n- Database\n- Deployment\n- Destination URL\n- Domain\n- Email Subject\n- File Hash\n- Filename\n- Generic Entity\n- Hostname\n- IP Set\n- MAC Address\n- Phone Number\n- POD\n- Process\n- Service\n- Threat Actor\n- Threat Campaign\n- Threat Signature\n- USB\n- User Name\n\nUse case: Map and model new data of ingested email\n\n\nThis use case shows how to map and model new data of an ingested email:\n\n1. Go to **Marketplace \\\u003e Use Case**.\n2. Run the **Zero to Hero** test case. Refer to [Run Use Cases](/chronicle/docs/soar/marketplace/run-use-cases) for full details on how to do this.\n3. In the **Cases** tab, select the **Mail** case from the **Cases Queue** and select the **Events** tab.\n4. To open the **Event Configuration** screen, click settings **Event Configuration** next to the alert.\n5. In the hierarchy, click **Mail** . This ensures that your configuration will automatically work for every piece of data coming from this product (Email box). \n[](/static/chronicle/images/soar/createentities3.png)\n6. Assign the Visual Family that most represents the data --- in our example we can skip this step as `MailRelayOrTAP` has already been selected following the deployment of the Zero to Hero use case.\n7. Switch to **Mapping** and map the following entity fields; double-click each entity and select the raw data field for that entity in the extracted field. You can provide alternative fields from which to extract the information:\n - SourceUserName\n - DestinationUserName\n - DestinationURL\n - EmailSubject\n8. To see what the original fields are in the email, click **Raw\n Event Properties** in the top right corner.\n\nExtract regular expressions\n\nGoogle SecOps doesn't support regular expression groups. To extract\ntext from the event field using regular expression patterns, use *lookahead*\nand *lookbehind* in the extraction function logic.\n\nIn the following example, the event field displays a large chunk of text: \n\n`Suspicious activity on A16_WWJ - Potential Account Takeover (33120)`\n\nTo extract only the text `Suspicious activity on A16_WWJ`, do the\nfollowing:\n\n1. Enter the following regular expression in the **Extraction function** value field: \n `Suspicious activity on A16_WWJ(?=.*)`\n2. Select the **To_String** option in the **Transformation function** field.\n\nTo extract only the text after `Suspicious activity on A16_WWJ`,\ndo the following:\n\n1. Enter the following regular expression in the **Extraction function** value field: \n `(?\u003c=Suspicious activity on A16_WWJ).*`\n2. Select the **To_String** option in the **Transformation function** field.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
