Ontology Overview
Google Security Operations ontology provides a formal specification that provides a shareable and reusable knowledgeable representation of alerts and events that will be consumed. The ontology allows Google Security Operations to build entities out of events and define relationships between them. This enables the user to see the full "picture" and gives them the ability to explore potential threats via the Explore Cases screen. Once entities have been defined using the ontology, you can run actions on them based on their role in the attack or event.
After you have established an initial data connection, you will need to complete the following procedures to ensure that the data is ingested into the Google Security Operations data model. You will also need to map and model new events and alerts according to your requirements and as your connectors pick up new events.
Set up model families:
Step One: Define family in Settings > Ontology > Visual Families.
Step Two: Assign the family to the Event (or Product/Source) in the Event Configuration > Visualization screen. This screen can be reached by clicking the Configure icon either on the Events tab or on the Ontology Status screen.
Map data fields:
Step One: Using the Case Management and/or Explore screen, identify missing or incorrect field information.
Step Two: Check if this can be solved by attaching a new Visual Family.
Step Three: Otherwise, edit and configure the rules that make up both the Family and the general System fields in the Event Configuration > Mapping screen.