Google Security Operations ontology provides a formal specification that provides a
shareable and reusable knowledgeable representation of alerts and events that
will be consumed. The ontology allows Google SecOps to build
entities out of events and define relationships between them. This enables the
user to see the full "picture" and gives them the ability to explore potential
threats via the Explore Cases
screen. Once entities have been defined using the ontology, you can run actions on them based on their role in
the attack or event.
After you have established an initial data connection, you will need to
complete the following procedures to ensure that the data is ingested into the
Google SecOps data model. You will also need to map and model new events
and alerts according to your requirements and as your connectors pick up new
events.
Set up model families:
Step One: Define family in
Settings > Ontology >
Visual Families.
Step One: Using the Case
Management and/or Explore screen, identify missing or incorrect field
information.
Step Two: Check if this can be
solved by attaching a new Visual Family.
Step Three: Otherwise, edit and
configure the rules that make up both the Family and the general System fields
in the
Event Configuration > Mapping screen.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle Security Operations ontology provides a framework for representing and sharing knowledge about alerts and events, allowing for the creation of entities and relationships.\u003c/p\u003e\n"],["\u003cp\u003eThe ontology allows users to see a comprehensive view of potential threats and run actions on them based on their role in the attack or event via the Explore Cases screen.\u003c/p\u003e\n"],["\u003cp\u003eSetting up model families is a two-step process involving defining a family in Settings > Ontology > Visual Families and then assigning it to the Event in the Event Configuration screen.\u003c/p\u003e\n"],["\u003cp\u003eMapping data fields involves identifying missing or incorrect field information, attempting to attach a new Visual Family, and, if needed, editing the rules that make up the Family and System fields in the Event Configuration > Mapping screen.\u003c/p\u003e\n"]]],[],null,["# Ontology Overview\n=================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nGoogle Security Operations ontology provides a formal specification that provides a\nshareable and reusable knowledgeable representation of alerts and events that\nwill be consumed. The ontology allows Google SecOps to build\nentities out of events and define relationships between them. This enables the\nuser to see the full \"picture\" and gives them the ability to explore potential\nthreats via the [Explore Cases](/chronicle/docs/soar/investigate/working-with-cases/explore-entities-and-alerts-investigation)\nscreen. Once entities have been defined using the ontology, you can run actions on them based on their role in\nthe attack or event.\n| **Note:** Most integrations include a pre-configured ontology that gives you a ready-made structure you can adapt or extend to meet your needs, instead of creating the entire structure manually.\n\n\nAfter you have established an initial data connection, you will need to\ncomplete the following procedures to ensure that the data is ingested into the\nGoogle SecOps data model. You will also need to map and model new events\nand alerts according to your requirements and as your connectors pick up new\nevents.\n\nSet up model families:\n----------------------\n\n\n**Step One** : Define family in\nSettings \\\u003e Ontology \\\u003e\n[Visual Families.](/chronicle/docs/soar/admin-tasks/ontology/visual-families)\n\n\n**Step Two** : Assign the family to the\nEvent (or Product/Source) in the\n[Event Configuration \\\u003e Visualization](/chronicle/docs/soar/admin-tasks/ontology/configure-mapping-and-assign-visual-families) screen. This screen can be reached by clicking the Configure icon either on\nthe\n[Events tab](/chronicle/docs/soar/admin-tasks/ontology/deciding-what-events-to-configure)\nor on the\n[Ontology Status](/chronicle/docs/soar/admin-tasks/ontology/viewing-model-family-and-field-mapping)\nscreen.\n\nMap data fields:\n----------------\n\n\n**Step One**: Using the Case\nManagement and/or Explore screen, identify missing or incorrect field\ninformation.\n\n\n**Step Two**: Check if this can be\nsolved by attaching a new Visual Family.\n\n\n**Step Three** : Otherwise, edit and\nconfigure the rules that make up both the Family and the general System fields\nin the\n[Event Configuration \\\u003e Mapping screen.](/chronicle/docs/soar/admin-tasks/ontology/configure-mapping-and-assign-visual-families)\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
